{"api_version":"1","generated_at":"2026-06-27T07:37:40+00:00","cve":"CVE-2018-8851","urls":{"html":"https://cve.report/CVE-2018-8851","api":"https://cve.report/api/cve/CVE-2018-8851.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-8851","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-8851"},"summary":{"title":"CVE-2018-8851","description":"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface.","state":"PUBLISHED","assigner":"icscert","published_at":"2018-07-24 17:29:00","updated_at":"2026-06-02 21:16:22"},"problem_types":["CWE-256","CWE-522","CWE-256 UNPROTECTED STORAGE OF CREDENTIALS CWE-256"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03","name":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"],"title":"Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600 (Update A) | CISA","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-8851","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8851","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Echelon","product":"SmartServer 1","version":"affected all versions","platforms":[]},{"source":"CNA","vendor":"Echelon","product":"SmartServer 2","version":"affected all versions prior to release 4.11.007","platforms":[]},{"source":"CNA","vendor":"Echelon","product":"i.LON 100","version":"affected all versions","platforms":[]},{"source":"CNA","vendor":"Echelon","product":"i.LON 600","version":"affected all versions","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"8851","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"echelon","cpe5":"i.lon_100","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8851","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"echelon","cpe5":"i.lon_100_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8851","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"echelon","cpe5":"i.lon_600","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8851","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"echelon","cpe5":"i.lon_600_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8851","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"echelon","cpe5":"smartserver_1","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8851","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"echelon","cpe5":"smartserver_1_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8851","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"echelon","cpe5":"smartserver_2","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8851","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"echelon","cpe5":"smartserver_2_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2018","cve_id":"8851","cve":"CVE-2018-8851","epss":"0.002230000","percentile":"0.450700000","score_date":"2026-06-08","updated_at":"2026-06-09 00:12:52"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-05T07:10:45.892Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2018-8851","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-02T19:58:21.618546Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-02T19:58:52.622Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"SmartServer 1","vendor":"Echelon","versions":[{"status":"affected","version":"all versions"}]},{"product":"SmartServer 2","vendor":"Echelon","versions":[{"status":"affected","version":"all versions prior to release 4.11.007"}]},{"product":"i.LON 100","vendor":"Echelon","versions":[{"status":"affected","version":"all versions"}]},{"product":"i.LON 600","vendor":"Echelon","versions":[{"status":"affected","version":"all versions"}]}],"datePublic":"2018-07-19T00:00:00.000Z","descriptions":[{"lang":"en","value":"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-256","description":"UNPROTECTED STORAGE OF CREDENTIALS CWE-256","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2018-07-24T16:57:01.000Z","orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert"},"references":[{"tags":["x_refsource_MISC"],"url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","DATE_PUBLIC":"2018-07-19T00:00:00","ID":"CVE-2018-8851","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SmartServer 1","version":{"version_data":[{"version_value":"all versions"}]}},{"product_name":"SmartServer 2","version":{"version_data":[{"version_value":"all versions prior to release 4.11.007"}]}},{"product_name":"i.LON 100","version":{"version_data":[{"version_value":"all versions"}]}},{"product_name":"i.LON 600","version":{"version_data":[{"version_value":"all versions"}]}}]},"vendor_name":"Echelon"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"UNPROTECTED STORAGE OF CREDENTIALS CWE-256"}]}]},"references":{"reference_data":[{"name":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03","refsource":"MISC","url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"}]}}}},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2018-8851","datePublished":"2018-07-24T17:00:00.000Z","dateReserved":"2018-03-20T00:00:00.000Z","dateUpdated":"2026-06-02T19:58:52.622Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2018-07-24 17:29:00","lastModifiedDate":"2026-06-02 21:16:22","problem_types":["CWE-256","CWE-522","CWE-256 UNPROTECTED STORAGE OF CREDENTIALS CWE-256"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:echelon:smartserver_1_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"82A8FFC2-7191-42FE-8F71-77DE83945FFA"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:echelon:smartserver_1:-:*:*:*:*:*:*:*","matchCriteriaId":"9D78AEC2-D6E0-42EE-AEF4-5AEBA6B29611"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:echelon:smartserver_2_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"4.11.007","matchCriteriaId":"83547993-8A11-4A60-9CBE-3CD006272A1C"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:echelon:smartserver_2:-:*:*:*:*:*:*:*","matchCriteriaId":"418DEBAC-57D5-4BA8-806B-3DC235F1B625"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:echelon:i.lon_100_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"4DC38B32-715F-4ECA-AA60-15BE5EEB0DDE"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:echelon:i.lon_100:-:*:*:*:*:*:*:*","matchCriteriaId":"D195E8CF-A5E2-4799-A0EF-189A825BB3AF"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:echelon:i.lon_600_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"D1F3F845-E167-48A6-B159-39634D4D5DEB"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:echelon:i.lon_600:-:*:*:*:*:*:*:*","matchCriteriaId":"129D5CFF-EE75-4AED-89B1-DD947359DFFE"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"8851","Ordinal":"1","Title":"CVE-2018-8851","CVE":"CVE-2018-8851","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"8851","Ordinal":"1","NoteData":"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface.","Type":"Description","Title":"CVE-2018-8851"},{"CveYear":"2018","CveId":"8851","Ordinal":"2","NoteData":"2018-07-24","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"8851","Ordinal":"3","NoteData":"2018-07-24","Type":"Other","Title":"Modified"}]}}}