By default, Sinapsi eSolar Light Photovoltaic System Monitor installs with a default password. The program authenticates users who provide the password of 36e44c9b64 (and 1-2 other unspecified passwords), which is publicly known and documented, regardless of the username they provide. This allows attackers to trivially access the program or system and gain privileged access. Users are not able to change this password.

OSVDB is not aware of a solution for this vulnerability.

• CVE ID: 2012-5862 (see also: NVD)
• Exploit Database: 21273
• ISS X-Force ID: 80200
• Related OSVDB ID: 86019 86020 86021
• News Article: http://arstechnica.com/security/2012/10/solar-panel-control-systems-vulnerable-to-hacks/
  http://betabeat.com/2012/10/researchers-discover-software-controlling-solar-power-plants-is-totally-hackable/
• Vendor Specific Advisory URL: http://download.schneider-electric.com/files?L=en&p=&p_docId=&p_docId=&p_Reference=SEVD-2012-289-01A&p_EnDocType=Technical%20paper&p_File_Id=28913178&p_File_Name=SEVD-2012-289-01A-Ezylog.pdf
  http://www.downloads.schneider-electric.com/sites/oreo/ww/document-detail.page?p_docId=28747522&p_Conf=i
  http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2012/12/20121206_advisory_of_vulnerability_affecting_ezylog_monitoring_product_.xm
• Vendor URL: http://www.schneider-electric.com/site/home/index.cfm/us/
• Other Advisory URL: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-284-01.pdf
• Vendor Specific News/Changelog Entry: http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page

• Roberto Paleari
• Ivan Speziale