February 22, 2017 Karn Ganeshen

[ICS] Carlo Gavazzi VMUC-EM Energy Meter – Multiple Vulnerabilities

Carlo Gavazzi VMUC-EM Energy Meter Multiple Vulnerabilities

ICS-CERT Advisory


Vulnerable versions

  • VMU-C EM prior to firmware Version A11_U05, and
  • VMU-C PV prior to firmware Version A17

VMU-C Web-Server solution for photovoltaic applications

VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is a hardware data aggregator for medium to larger projects and Em2 Server is a software solution for large projects. They are designed to complement the extensive line of Carlo Gavazzi energy meters and current transformers.

VMU-C EM is a modular system that records, monitors and transmits analog and digital signals from an industrial, commercial or residential installation with a specific focus on energy efficiency. The system includes a web server with a powerful and intuitive user interface to monitor data and set up the system. Data can be transmitted using various protocols (FTP, HTTP, Modbus TCP/IP) and via wired or wireless connection.

VMU-C EM Features:

Data logger for energy meters, environmental sensors and rate pulsesWeb server function & data transfer (FTP, HTTP Modbus/TCP slave)RS-485 and Ethernet communication with metersUSB ports for communication and backupMicro SD card port for data backupData management of electrical variables from up to 32 energy metersSupport for most Carlo Gavazzi metersSupport for non-Carlo Gavazzi meters with open Modbus toolOption for up to 33 dual I/O modulesOption for up to 11 analog, 22 temperature and 11 pulse rate inputscUL listed product


1. Weak Credentials Management

-> admin/admin
-> Application does not enforce mandatory password change

2. Sensitive Information stored in clear-text

Accounts menu option
⇒ shows username and password
⇒ passwords shown in clear-text
⇒ SMTP server password
⇒ user and service passwords are stored in clear-text

3. Access Control flaws
  1. Access control is not enforced correctly
  2. Certain application functions can be accessed without any authentication
  3. Application stores the Energy / Plant data in a sqlite database – EWPlant.db. Anyone can dump plant database file – without any authentication

4. Reflected + Stored XSS – multiple URLs, parameters -> Not documented in ICS-CERT Advisory

5. Vulnerable to Cross-Site Request Forgery

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.


Tagged: , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *