Security Experts:

Connect with us

Hi, what are you looking for?



Meteocontrol Patches Flaws in Photovoltaic Data Logger

Meteocontrol, a Germany-based company that specializes in solar performance monitoring solutions, has released an update for one of its data logging products to address several remotely exploitable vulnerabilities.

Meteocontrol, a Germany-based company that specializes in solar performance monitoring solutions, has released an update for one of its data logging products to address several remotely exploitable vulnerabilities.

Security researcher Karn Ganeshen discovered that Meteocontrol’s WEB’log product, which allows organizations to centrally record data for their photovoltaic systems, is plagued by critical authentication and information exposure flaws. The issues were reported to the vendor through ICS-CERT in December 2015.

The vulnerable SCADA system is used in Europe and the United States (a small percentage) in the energy, water, critical manufacturing and commercial facilities sectors.

Ganeshen discovered that the WEB’log administration interface does not enforce access control and any webpage is directly accessible through its URL (CVE-2016-2296). The researcher also found a default login password, and that the administrator password is stored in clear text and it can be easily obtained (CVE-2016-2298).

Ganeshen also identified a command shell-like feature that allows anyone to execute system commands without authentication (CVE-2016-2297). While the vendor noted that the feature cannot be used to run critical system commands, the expert believes it introduces unnecessary risks.

In a blog post published on Saturday, the researcher revealed the existence of a cross-site request forgery (CSRF) flaw that can be exploited to perform actions on behalf of the user.

Meteocontrol WEBlog

“Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as modifying plant data, modifying modbus/inverter/any other PLC devices, changing Administrator password, changing configuration parameters, saving modified configuration, & device reboot,” Ganeshen said.

This vulnerability was reported to ICS-CERT at a later time so it might not have been patched.

According to an advisory published by ICS-CERT, the vulnerabilities affect all versions of WEB’log Basic 100, Light, Pro and Pro Unlimited. Meteocontrol has released a new version to address the issues.

The flaws can be exploited remotely even by an attacker with low skill. However, the vendor noted that its product should be installed behind a firewall and not directly connected to the Internet.

“There is no security. It is a free play, as you would have noticed,” Ganeshen said. “And the risk is high. Due to access control issues, above described vulnerabilities can be remotely exploited easily, at a mass scale, in an automated manner. At this point, it is easy to write a script that will POST (write) arbitrary configuration parameters to WEB’log applications, and reboot the devices, at a mass scale.”

Meteocontrol is not the only company whose ICS products have been analyzed by Ganeshen. In the past months, the researcher reported vulnerabilities to WAGO, Schneider Electric, Moxa, GE Industrial Solutions, XZERES, Nordex and eWON.

*Updated with additional information from Karn Ganeshen

Related Reading: PLC Worms Can Pose Serious Threat to Industrial Networks

Related Reading: Dam Hackers! The Rising Risks to ICS and SCADA Environments

Registration for 2016 ICS Cyber Security Conference Now Open

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).