GCVE - cpe:2.3:h:ovarro:tbox_rm2:-:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:h:ovarro:tbox_rm2:-:*:*:*:*:*:*:*

part: h version: - update: *

Vendor	Ovarro (`a773400a-8cce-5204-889e-e91aa2953911`)
Product	Tbox Rm2 (`6b8b2b94-9af3-57df-8380-f3af41dc49ab`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-3395`	not_vulnerable	2026-06-03 14:52:40.727295	Details available MEDIUM (6.5) All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. An attacker with access to system files could open a file to load the document into memory, including sensitive information associated with document, such as password. The attacker could then obtain the plaintext password by using a memory viewer. Published: 2023-07-03T20:04:17.653Z Updated: 2024-10-24T19:53:58.951Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36611`	not_vulnerable	2026-06-03 14:52:26.932894	Details available MEDIUM (6.5) The affected TBox RTUs allow low privilege users to access software security tokens of higher privilege. This could allow an attacker with “user” privileges to access files requiring higher privileges by establishing an SSH session and providing the other tokens. Published: 2023-07-03T20:03:07.721Z Updated: 2024-10-25T13:08:42.739Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36610`	not_vulnerable	2026-06-03 14:52:26.932136	Details available MEDIUM (5.9) The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves. Published: 2023-07-03T20:01:31.978Z Updated: 2024-10-25T13:08:23.603Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36609`	not_vulnerable	2026-06-03 14:52:26.931164	Details available HIGH (7.2) The affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. An attacker could set up a local OpenVPN server and push a malicious script onto the TBox host to acquire root privileges. Published: 2023-07-03T19:59:08.547Z Updated: 2024-11-25T18:11:48.466Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36609`	vulnerable	2026-06-03 14:52:26.930749	Details available HIGH (7.2) The affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. An attacker could set up a local OpenVPN server and push a malicious script onto the TBox host to acquire root privileges. Published: 2023-07-03T19:59:08.547Z Updated: 2024-11-25T18:11:48.466Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36608`	not_vulnerable	2026-06-03 14:52:26.930050	Details available MEDIUM (6.5) The affected TBox RTUs store hashed passwords using MD5 encryption, which is an insecure encryption algorithm. Published: 2023-07-03T19:55:21.309Z Updated: 2024-10-25T13:08:01.588Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36607`	not_vulnerable	2026-06-03 14:52:26.927590	CVE-2023-36607 The affected TBox RTUs are missing authorization for running some API commands. An attacker running these commands could reveal sensitive information such as software versions and web server file contents. Published: 2023-06-29T20:30:13.093Z Updated: 2024-11-26T19:21:53.870Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-36607`	vulnerable	2026-06-03 14:52:26.913504	CVE-2023-36607 The affected TBox RTUs are missing authorization for running some API commands. An attacker running these commands could reveal sensitive information such as software versions and web server file contents. Published: 2023-06-29T20:30:13.093Z Updated: 2024-11-26T19:21:53.870Z Open on db.gcve.eu Reference links https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-22650`	not_vulnerable	2026-06-03 14:43:53.315224	Ovarro TBox Relative Path Traversal HIGH (7.5) An attacker may use TWinSoft and a malicious source project file (TPG) to extract files on machine executing Ovarro TWinSoft, which could lead to code execution. Published: 2022-07-28T14:18:25.000Z Updated: 2025-04-17T15:49:09.268Z Open on db.gcve.eu Reference links https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-22648`	not_vulnerable	2026-06-03 14:43:53.313760	Ovarro TBox Incorrect Permission Assignment for Critical Resource HIGH (8.8) Ovarro TBox proprietary Modbus file access functions allow attackers to read, alter, or delete the configuration file. Published: 2022-07-28T14:18:45.000Z Updated: 2025-04-17T15:48:58.949Z Open on db.gcve.eu Reference links https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-22646`	not_vulnerable	2026-06-03 14:43:53.312138	Ovarro TBox Code Injection HIGH (8.8) The “ipk” package containing the configuration created by TWinSoft can be uploaded, extracted, and executed in Ovarro TBox, allowing malicious code execution. Published: 2022-07-28T14:19:30.000Z Updated: 2025-04-17T15:48:32.572Z Open on db.gcve.eu Reference links https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-22644`	not_vulnerable	2026-06-03 14:43:53.310675	Ovarro TBox Use of Hard-coded Cryptographic Key HIGH (7.5) Ovarro TBox TWinSoft uses the custom hardcoded user “TWinSoft” with a hardcoded key. Published: 2022-07-28T14:19:10.000Z Updated: 2025-04-17T15:48:47.601Z Open on db.gcve.eu Reference links https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-22642`	not_vulnerable	2026-06-03 14:43:53.291787	Ovarro TBox Uncontrolled Resource Consumption HIGH (7.5) An attacker could use specially crafted invalid Modbus frames to crash the Ovarro TBox system. Published: 2022-07-28T14:17:44.000Z Updated: 2025-04-17T15:49:28.131Z Open on db.gcve.eu Reference links https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-22640`	not_vulnerable	2026-06-03 14:43:53.288795	Ovarro TBox Insufficiently Protected Credentials HIGH (7.5) An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks. Published: 2022-07-28T14:18:04.000Z Updated: 2025-04-17T15:49:20.437Z Open on db.gcve.eu Reference links https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.