|Article No°||Product Name||Affected Version(s)|
|2709858310 - 90||Element backup||< F21000400|
|2700852201 - 52||Element S1||< 2e.3.8.0|
|2700852301 - 53||Element S2||< 2e.3.8.0|
|2700852401 - 53||Element S2||< 2e.3.8.0|
|2709852201 - 53||Element S3||< 2e.3.8.0|
|2709852201 - 53||Element S3||< 2e.4.4.0|
|2709858202 - 13||Element S4||< D21010400|
|2703852201||One L/XL||< 2e.3.8.0|
|2707852201||Pulse (not pulse neo)||< C21010800|
VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable.
Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network.
The vulnerability allows unauthorized read and write access to the web backend. This allows reading and writing of parameters that are not intended for this purpose (e.g. connectivity settings, grid parameters). This can impact the operational availability and integrity. The safety of the battery storage device is not affected because safety relevant parameters are not accessible via the web backend.
General countermeasures: Restrict HTTP traffic to the energy storage system by using an inbound firewall or other measures on the network level.
Product-specific countermeasures: A fixed version will be rolled out OTA as soon as it is available. Rollout for VARTA element backup will start end of Q1/2023 followed by Element S4.
Thanks also go to the security researcher Andreas Dolp for reporting and collaboration on this topic.
VARTA thanks CERT@VDE for the coordination and support with this publication.