CVE-2021-22763 in PowerLogic PM55xxinfo

Summary

by MITRE • 06/11/2021

A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could allow an attacker administrator level access to a device.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/30/2026

The vulnerability identified as CVE-2021-22763 represents a critical weakness in the password recovery mechanisms of several PowerLogic power monitoring and control devices including the PM55xx series, PM8ECC, EGX100, and EGX300 models. This weakness falls under CWE-640, which specifically addresses insecure password recovery processes that can lead to unauthorized administrative access. The flaw fundamentally undermines the authentication security model of these industrial devices, creating a significant entry point for malicious actors seeking to compromise operational technology systems.

The technical implementation of the password recovery mechanism in these devices contains a critical design flaw that allows attackers to bypass normal authentication procedures and gain administrative privileges without proper authorization. This vulnerability stems from inadequate validation of password reset requests and potentially predictable recovery tokens or mechanisms that do not adequately verify user identity. The weakness exists in the device's web interface and management protocols, where the password recovery process does not properly authenticate the user attempting to reset credentials, enabling unauthorized access to administrative functions.

The operational impact of this vulnerability extends beyond simple credential compromise, as it allows attackers to assume full administrative control over critical power monitoring equipment. This level of access enables malicious actors to modify device configurations, alter power consumption data, disable protective mechanisms, and potentially cause operational disruptions or safety hazards in industrial environments. The vulnerability affects devices that are typically deployed in critical infrastructure settings where power monitoring and control systems require robust security measures to prevent unauthorized modifications that could impact electrical operations and safety protocols.

Organizations should implement immediate mitigations including disabling unnecessary password recovery features, implementing strong account lockout mechanisms, and ensuring that all devices are running the latest firmware versions that address this vulnerability. The remediation process should also include network segmentation to limit access to these devices, implementing multi-factor authentication where possible, and conducting thorough security assessments of all industrial control systems. This vulnerability aligns with attack patterns documented in the mitre att&ck framework under the credential access and privilege escalation domains, highlighting the importance of robust authentication mechanisms in industrial control systems.

Security teams should also consider the broader implications of this vulnerability within their overall security posture, particularly in environments where these devices are part of larger industrial control networks. The weakness demonstrates the critical importance of secure password recovery mechanisms in embedded systems and highlights the need for comprehensive security testing of operational technology devices before deployment. Organizations must also establish procedures for regularly updating and patching industrial control systems to address newly discovered vulnerabilities that could compromise operational integrity and safety protocols.

Reservation

01/06/2021

Disclosure

06/11/2021

Moderation

accepted

CPE

ready

EPSS

0.01843

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!