Rockwell Automation 176x PLC Controllers Remote Information Disclosure

April 24, 2015

Allen-Bradley is a division of Rockwell Automation who makes a line of programmable logic controllers (PLC) under the MicroLogix and CompactLogix brands. Several models have a web interface that doesn’t require authentication. These include:

This allows a remote attacker get a lot of information including:

  • Internal IP address (/index.html?redirect=/home.asp and /diagnetwork.asp)
  • List of remote IP connections (/rokform/advancedDiags?pageReq=tcpconn)
  • Network settings
  • Application connections
  • Bridge connections
  • Ethernet statistics
  • Ring statistics
  • Network diagnostics
  • System data
  • Event log
  • Assert log
  • .. and more

Mitsubishi Programmable Controller, High Speed Data Logger Module Internal IP Disclosure

April 23, 2015

The Mitsubishi Programmable Controller, High Speed Data Logger Module has a web interface that does not require authentication. However the Internet facing service still discloses an internal IP address for the link to the FTP server even if it is not Internet facing.


Shinsei URoad-Home WiMAX Wi-Fi Router Web Interface Default Admin Credentials

April 22, 2015

The Shinsei URoad-Home WiMAX Wi-Fi Router has a web management interface that has default administrator credentials according to the manual.

Type in the login dialog box as follows, and then click the “OK” button.
Username: admin
Password: admin

Omron NS-Series Programmable Terminals Web Interface Default Credentials

April 21, 2015

Omron NS-Series Programmable Terminals which include NS12-TS01-V2, NS10-TV01-V2, NS8-TV01-V2, NS5-SQ11-V2, NS5-TQ11-V2 and NS5-MQ11-V2, have default credentials for web access according to the manual.

Enter the user name and password.
The factory settings for the user name and password are as follows.
User name default
Password default

Mobotix Cameras Web Interface Default Admin Credentials

April 20, 2015

Mobotix cameras have a web interface to view the camera feed. Several models have default admin credentials according to the manuals, including the Hemispheric Q25, AllroundDual M15 and Allround M25. More manuals are available and all of the models are likely affected including DualDome D15, Dome D25, FlexMount S15, Hemispheric c25, Hemispheric i25 and Vandalism V15.

Default user data
User name: admin
password: meinsm

NetComm Wireless NTC-6000 Series 3G M2M Router Multiple Default Accounts

April 19, 2015

The NetComm Wireless NTC-6000 Series 3G M2M Router has default credentials for both telnet and web access according to the manual.

Enter the login username and password. If this is the first time you are logging in or you have not previously configured the password for the “root” or “admin” accounts, you can use one of the default account details to log in.
Username: root
Password: admin
Username: admin
Password: admin

Novus Temperature Controllers Default Passwords

April 18, 2015

The Novus N1040, N480D, N960, N1020, N1040i, N1540, N2000, N3000 and N120 Temperature Controller contains a default access password and default master password (trivially generated based on serial number) according to the manual:

The protected levels, when accessed, request the user to provide the Access Password for granting permission to change the configuration of the parameters on these levels. The prompt PASS precedes the parameters on the protected levels. If no password is entered, the parameters of the protected levels can only be visualized. The Access Password is defined by the user in the parameter Password Change (PAS.(), present in the Calibration Level. The factory default for the password code is 1111.

The Master Password is intended for allowing the user to define a new password in the event of it being forgotten. The Master Password doesn’t grant access to all parameters, only to the Password Change parameter (PAS(). After defining the new password, the protected parameters may be accessed (and modified) using this new password. The master password is made up by the last three digits of the serial number of the controller added to the number 9000. As an example, for the equipment with serial number 07154321, the master password is 9 3 2 1.

WAGO 758 Series IPC Controller Default Accounts

April 17, 2015

The WAGO 758 Series IPC controller has several default accounts. According to the wording of the documentation all of their IPCs probably have the same:

The WAGO IPCs are shipped with several different user names and default passwords.
– Root / wago
– Admin / wago
– User / user
– Guest /guest

Ubiquiti AirControl Web Management Default Admin Credentials

April 16, 2015

Ubiquiti AirControl sets up three web servers by default. The management port is on port 9005 and has default administrator credentials of ‘ubnt’ and ‘ubnt’. From their wiki:

Configure basic settings of AirControl, like: HTTP Port (by default: 9080), HTTPS Port (by default: 9443), Management Port (by default: 9005) and Administrator credentials (default username and password are ubnt). Click Next.

Carlo Gavazzi PowerSoft Multiple Default Accounts

December 23, 2014

Carlo Gavazzi PowerSoft is a SCADA system for energy management. According to the vendor page:

Carlo Gavazzi is an international group active in designing, manufacturing and marketing electronic equipment.

The Group’s products (sensors, monitoring relays, timers, energy management systems, solid state-relays, safety devices, fieldbus systems) provide automation solutions for the global markets of industrial and building automation.

The manual shows that it has several default accounts:

The installing program sets two default users on the system:
User 1:
Name: admin
Password: admin
Level: Administrator
User 2:
Name: user
Password: user
Level: User
These default users can access all the PowerSoft functions (according to the relevant level, see below) but, for safety reasons, it is suggested to create at least a new “Administrator” user (or more of them and the required simple “Users”= and then delete both the default users.
The “User” can access all the data, acknowledge the alarms, and ask for any report, also via web-server.
The “Administrator” can access all the “User’s functions and, in addition, can configure Powersoft and all the relevant modules
A user without the password can only access the real-time values and display the active alarms list.


Get every new post delivered to your Inbox.

Join 793 other followers