{"api_version":"1","generated_at":"2026-06-27T07:36:30+00:00","cve":"CVE-2018-8855","urls":{"html":"https://cve.report/CVE-2018-8855","api":"https://cve.report/api/cve/CVE-2018-8855.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-8855","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-8855"},"summary":{"title":"CVE-2018-8855","description":"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.","state":"PUBLISHED","assigner":"icscert","published_at":"2018-07-24 17:29:00","updated_at":"2026-06-02 21:16:22"},"problem_types":["CWE-319","CWE-319 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03","name":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"],"title":"Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600 (Update A) | CISA","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-8855","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8855","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Echelon","product":"SmartServer 1","version":"affected all versions","platforms":[]},{"source":"CNA","vendor":"Echelon","product":"SmartServer 2","version":"affected all versions prior to release 4.11.007","platforms":[]},{"source":"CNA","vendor":"Echelon","product":"i.LON 100","version":"affected all versions","platforms":[]},{"source":"CNA","vendor":"Echelon","product":"i.LON 600","version":"affected all versions","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"8855","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"echelon","cpe5":"i.lon_100","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8855","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"echelon","cpe5":"i.lon_100_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8855","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"echelon","cpe5":"i.lon_600","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8855","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"echelon","cpe5":"i.lon_600_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8855","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"echelon","cpe5":"smartserver_1","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8855","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"echelon","cpe5":"smartserver_1_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8855","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"echelon","cpe5":"smartserver_2","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"8855","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"echelon","cpe5":"smartserver_2_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2018","cve_id":"8855","cve":"CVE-2018-8855","epss":"0.001480000","percentile":"0.350390000","score_date":"2026-06-08","updated_at":"2026-06-09 00:12:52"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-05T07:10:46.267Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2018-8855","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-02T19:47:47.006121Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-02T19:53:51.367Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"SmartServer 1","vendor":"Echelon","versions":[{"status":"affected","version":"all versions"}]},{"product":"SmartServer 2","vendor":"Echelon","versions":[{"status":"affected","version":"all versions prior to release 4.11.007"}]},{"product":"i.LON 100","vendor":"Echelon","versions":[{"status":"affected","version":"all versions"}]},{"product":"i.LON 600","vendor":"Echelon","versions":[{"status":"affected","version":"all versions"}]}],"datePublic":"2018-07-19T00:00:00.000Z","descriptions":[{"lang":"en","value":"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-319","description":"CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2018-07-24T16:57:01.000Z","orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert"},"references":[{"tags":["x_refsource_MISC"],"url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","DATE_PUBLIC":"2018-07-19T00:00:00","ID":"CVE-2018-8855","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SmartServer 1","version":{"version_data":[{"version_value":"all versions"}]}},{"product_name":"SmartServer 2","version":{"version_data":[{"version_value":"all versions prior to release 4.11.007"}]}},{"product_name":"i.LON 100","version":{"version_data":[{"version_value":"all versions"}]}},{"product_name":"i.LON 600","version":{"version_data":[{"version_value":"all versions"}]}}]},"vendor_name":"Echelon"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319"}]}]},"references":{"reference_data":[{"name":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03","refsource":"MISC","url":"https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"}]}}}},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2018-8855","datePublished":"2018-07-24T17:00:00.000Z","dateReserved":"2018-03-20T00:00:00.000Z","dateUpdated":"2026-06-02T19:53:51.367Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2018-07-24 17:29:00","lastModifiedDate":"2026-06-02 21:16:22","problem_types":["CWE-319","CWE-319 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:echelon:smartserver_1_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"82A8FFC2-7191-42FE-8F71-77DE83945FFA"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:echelon:smartserver_1:-:*:*:*:*:*:*:*","matchCriteriaId":"9D78AEC2-D6E0-42EE-AEF4-5AEBA6B29611"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:echelon:smartserver_2_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"4.11.007","matchCriteriaId":"83547993-8A11-4A60-9CBE-3CD006272A1C"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:echelon:smartserver_2:-:*:*:*:*:*:*:*","matchCriteriaId":"418DEBAC-57D5-4BA8-806B-3DC235F1B625"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:echelon:i.lon_100_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"4DC38B32-715F-4ECA-AA60-15BE5EEB0DDE"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:echelon:i.lon_100:-:*:*:*:*:*:*:*","matchCriteriaId":"D195E8CF-A5E2-4799-A0EF-189A825BB3AF"}]}]},{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:echelon:i.lon_600_firmware:-:*:*:*:*:*:*:*","matchCriteriaId":"D1F3F845-E167-48A6-B159-39634D4D5DEB"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:echelon:i.lon_600:-:*:*:*:*:*:*:*","matchCriteriaId":"129D5CFF-EE75-4AED-89B1-DD947359DFFE"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"8855","Ordinal":"1","Title":"CVE-2018-8855","CVE":"CVE-2018-8855","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"8855","Ordinal":"1","NoteData":"Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.","Type":"Description","Title":"CVE-2018-8855"},{"CveYear":"2018","CveId":"8855","Ordinal":"2","NoteData":"2018-07-24","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"8855","Ordinal":"3","NoteData":"2018-07-24","Type":"Other","Title":"Modified"}]}}}