“This could allow a malicious user to access the device and make changes to the configuration without authentication. Unfortunately the ICS-CERT tried several times to contact the German vendor RLE International without success.
The cross-site request forgery vulnerability affecting the XZERES turbine could be exploited by hackers to change the administrator password for the web management interface. The attackers will gain complete control of the turbine, as explained by the researcher he would “change the wind vane correction, or change the network settings to access the web interface that would make it inaccessible. This can be certainly critical for the implementation of a successful attack.” The ICS-CERT ranked the security issue as 10 of 10 on the standard Common Vulnerability Scoring System, the organization considers dangerous the flaw due to the ease of remote exploitation.”
Sursa : securityaffairs.co