FixVibe
覆盖FixVibecritical

Authentication Bypass in SiteOmat BOS (CVE-2017-14728)

SiteOmat BOS versions before 6.4.414.084 are associated with CVE-2017-14728. FixVibe reports strong public HTTP product/version evidence during verified active scans without attempting default credentials, SSH login, broad port scans, state-changing management actions, or unauthorized access.

CVE-2017-14728CWE-798CWE-287

Attacker impact

CVE-2017-14728 covers hard-coded application login credentials in Orpak SiteOmat BOS. CISA and NVD rate the issue as critical because a reachable affected management interface can create unauthorized access risk for fuel-station monitoring, configuration, and payment-related workflows. [S1][S2]

Affected versions

CISA lists SiteOmat versions prior to 6.4.414.084 as affected, and the advisory recommends updating to SiteOmat 6.4.414.139 or later. NVD maps the affected CPE range to versions before 6.4.414.084. [S1][S2]

Covered by FixVibe

FixVibe can report this as a version-based advisory during verified active scans when the target returns strong public HTTP evidence that it appears to be SiteOmat BOS with a version below 6.4.414.084.

The check is intentionally bounded: it uses read-only HTTP evidence from the verified target and does not attempt default credentials, SSH login, password spraying, broad port scanning, state-changing management actions, or unauthorized access.

What FixVibe does not verify

FixVibe does not prove that default credentials still work, authenticate to SiteOmat, inspect configuration, access fuel-station data, or determine whether a vendor-supported backport preserves a stale public version string.

Remediation

Verify the running SiteOmat version from trusted device inventory or the vendor-supported management console. Upgrade affected deployments to 6.4.414.084 or newer, preferably 6.4.414.139 or later, change or rotate default/shared administrative credentials, disable unnecessary SSH and HTTP management exposure, restrict management access to trusted industrial networks, VPN, or an authenticated management segment, and review access logs for unexpected management activity.

Authentication Bypass in SiteOmat BOS (CVE-2017-14728) — FixVibe research · FixVibe