Authentication Bypass Vulnerability in ECOA BAS Controller: Exploiting Cookie Poisoning to Compromise Smart Homes and Buildings

Authentication Bypass Vulnerability in ECOA BAS Controller: Exploiting Cookie Poisoning to Compromise Smart Homes and Buildings

CVE-2021-41292 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.

Learn more about our Physical Security Assessment.