Insecure default settings have been found in recorder products provided by Yokogawa Electric Corporation. The default setting of the authentication function is disabled on the affected products. Therefore, when connected to a network with default settings, anyone can access all functions related to settings and operations. As a result, an attacker can illegally manipulate and configure important data such as measured values and settings. This issue affects GX10 / GX20 / GP10 / GP20 Paperless Recorders: R5.04.01 or earlier; GM Data Acquisition System: R5.05.01 or earlier; DX1000 / DX2000 / DX1000N Paperless Recorders: R4.21 or earlier; FX1000 Paperless Recorders: R1.31 or earlier; μR10000 / μR20000 Chart Recorders: R1.51 or earlier; MW100 Data Acquisition Units: All versions; DX1000T / DX2000T Paperless Recorders: All versions; CX1000 / CX2000 Paperless Recorders: All versions.
The error results from the use of an insecure default configuration (CWE-1188): the authentication mechanism is disabled at the factory. When a device is connected to the network without prior settings changes, it requires no credentials to access the management interface. An attacker can therefore remotely, without logging in, perform any operations available to an authorized user — including reading, modifying, and deleting measurement data and configuration parameters.
An attacker gains full, unauthorized control over the device: can manipulate measurement data, change settings critical to the process, and disrupt the operation of data acquisition systems, which in industrial environments can lead to serious operational and safety consequences.
Authentication functionality must be immediately enabled on all vulnerable devices according to the manufacturer's guidelines contained in bulletin YSAR-25-0001-E (https://web-material3.yokogawa.com/1/36974/files/YSAR-25-0001-E.pdf). For devices marked as 'all versions' (MW100, DX1000T/DX2000T, CX1000/CX2000), patches available from the manufacturer should be applied according to references or compensating access control measures should be implemented (network segmentation, firewall, device isolation from public networks). Until patches are applied, devices should be isolated from external networks and accessible only from trusted network segments.
GX10 / GX20 / GP10 / GP20 Paperless Recorders: R5.04.01 and earlier; GM Data Acquisition System: R5.05.01 and earlier; DX1000 / DX2000 / DX1000N Paperless Recorders: R4.21 and earlier; FX1000 Paperless Recorders: R1.31 and earlier; μR10000 / μR20000 Chart Recorders: R1.51 and earlier; MW100 Data Acquisition Units: all versions; DX1000T / DX2000T Paperless Recorders: all versions; CX1000 / CX2000 Paperless Recorders: all versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H