Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-55021

CVE-2024-55021: Weintek Easyweb Information Disclosure

CVE-2024-55021 is an information disclosure vulnerability in Weintek Easyweb involving a hardcoded FTP password. This security flaw exposes sensitive credentials. This post covers technical details, impact, and mitigation.

Updated:

CVE-2024-55021 Overview

CVE-2024-55021 affects the Weintek cMT-3072XH2 human-machine interface (HMI) running easyweb v2.1.53 on OS version 20231011. The device ships with a hardcoded password embedded in the FTP protocol implementation. Attackers with network access to the FTP service can authenticate using the static credential without any prior compromise. The flaw maps to CWE-798: Use of Hard-coded Credentials and CWE-78: OS Command Injection. The Weintek cMT-3072XH2 is an industrial HMI deployed in operational technology (OT) environments, which raises the operational impact of credential exposure on this class of device.

Critical Impact

Remote, unauthenticated network attackers can authenticate to the FTP service using a hardcoded password and access sensitive files stored on the HMI.

Affected Products

  • Weintek easyweb 2.1.53
  • Weintek cMT-3072XH2 firmware 20231011
  • Weintek cMT-3072XH2 HMI hardware

Discovery Timeline

  • 2026-03-03 - CVE-2024-55021 published to NVD
  • 2026-03-09 - Last updated in NVD database

Technical Details for CVE-2024-55021

Vulnerability Analysis

The Weintek cMT-3072XH2 exposes an FTP server as part of its easyweb management stack. The FTP protocol handler contains a hardcoded password compiled into the firmware. Because the credential is static across deployed units, knowledge of the secret grants access to every device running the affected firmware revision.

The vulnerability is reachable over the network without user interaction or prior privileges. An attacker who reaches TCP/21 on the device can authenticate and interact with the FTP service. The CWE-78 mapping indicates that downstream operations on the device may interpret attacker-controlled file content or paths as operating system commands, broadening the potential impact beyond simple file disclosure.

For industrial HMIs, FTP access often exposes project files, recipe data, alarm logs, and configuration assets that drive PLC interactions. Disclosure of these assets can support follow-on attacks against connected controllers.

Root Cause

The root cause is the inclusion of a static credential inside the firmware image rather than per-device provisioned secrets. Hardcoded credentials cannot be rotated by operators and remain valid until the vendor issues an updated firmware build that removes or randomizes them.

Attack Vector

Exploitation requires network reachability to the FTP service on the HMI. An attacker connects to TCP/21, supplies the known hardcoded password, and is granted access without further authentication checks. No social engineering or local access is required. Public proof-of-concept material is referenced in the GitHub Gist PoC Repository and the Notion Security Overview.

No verified exploit code is reproduced here. Refer to the linked references for technical specifics.

Detection Methods for CVE-2024-55021

Indicators of Compromise

  • Successful FTP authentications to Weintek cMT-3072XH2 devices from addresses outside the engineering workstation allowlist.
  • Outbound transfers of project files, log archives, or configuration data from HMI FTP services to unfamiliar destinations.
  • FTP sessions to HMIs originating from corporate IT or external networks rather than the OT enclave.

Detection Strategies

  • Inspect network flow records for TCP/21 traffic to Weintek HMI subnets and alert on connections from unauthorized sources.
  • Capture FTP control channel traffic and correlate USER and PASS commands with expected operator accounts.
  • Run authenticated scans or banner checks against HMIs to inventory devices running easyweb v2.1.53 and firmware 20231011.

Monitoring Recommendations

  • Forward firewall and switch logs covering the OT segment to a central analytics platform and retain FTP session metadata.
  • Baseline normal FTP activity for each HMI and alert on session count, byte volume, or source address deviations.
  • Monitor for new files written to HMI FTP directories that could indicate command injection staging consistent with CWE-78.

How to Mitigate CVE-2024-55021

Immediate Actions Required

  • Block inbound TCP/21 to Weintek cMT-3072XH2 devices at the OT firewall and restrict access to a defined engineering workstation list.
  • Disable the FTP service on the HMI if it is not required for production operations.
  • Place affected HMIs behind a jump host that enforces multi-factor authentication and session recording.
  • Inventory all Weintek HMIs and confirm firmware versions to identify exposure.

Patch Information

No vendor advisory or fixed firmware version is listed in the NVD entry at publication. Contact Weintek support to obtain firmware that removes the hardcoded credential and monitor the vendor security portal for updated builds.

Workarounds

  • Segment HMIs into a dedicated OT VLAN with deny-by-default ingress rules per IEC 62443 zone-and-conduit guidance.
  • Terminate FTP at an intermediary proxy that enforces source IP restrictions and logs every session.
  • Restrict physical and remote management access to the HMI to named operators and rotate any shared engineering credentials.
bash
# Example firewall rule to restrict FTP access to the HMI
# Replace HMI_IP and ENG_WORKSTATION with your environment values
iptables -A FORWARD -p tcp -s ENG_WORKSTATION -d HMI_IP --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -d HMI_IP --dport 21 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne