Xzeres 442SR wind turbine


Researcher Maxim Rupp has identified a cross-site request forgery (CSRF) vulnerability in XZERES’s 442SR turbine generator operating system (OS). XZERES has produced a patch to mitigate this vulnerability.

This vulnerability could be exploited remotely.

The following XZERES product is affected:

  • 442SR Wind Turbine.

Successful exploitation of this vulnerability allows the ID to be retrieved from the browser and will allow the default ID to be changed. This exploit can cause a loss of power for all attached systems.

The 442SR OS recognizes both the POST and GET methods for data input. By using the GET method, an attacker may retrieve the ID from the browser and will allow the default user ID to be changed. The default user has admin rights to the entire system.

According to XZERES, the 442SR is deployed across the Energy sector. XZERES estimates that this product is used worldwide.

CVE-2015-3950 has been assigned to this vulnerability.

A CVSS base score of 10 has been assigned.