CVE-2021-45031 Mepsan CVE debrief

Who should care

Organizations operating MEPSAN Stawiz USC++ fuel station management or industrial control systems, particularly those in regions covered by USOM advisories. System administrators responsible for USC++ deployments and security teams monitoring OT/ICS environments should prioritize this patch.

Technical summary

The vulnerability exists in the login function of MEPSAN Stawiz USC++ versions prior to 3.0. The weakness allows attackers to generate passwords for accounts with elevated privileges, effectively bypassing intended access controls. The CVSS 3.1 score of 7.7 reflects high confidentiality and availability impact with low integrity impact, accessible via network with high attack complexity. The CPE configuration indicates all versions before 3.0 are vulnerable with no lower bound specified. CWE-305 (Authentication Bypass by Primary Weakness) and NVD-CWE-noinfo are associated weakness classifications.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade MEPSAN Stawiz USC++ to version 3.0 or later to eliminate the authentication weakness
• Review administrative account access logs for unauthorized password generation or account creation activity prior to patching
• Implement network segmentation to limit exposure of USC++ management interfaces to trusted administrative hosts only
• Monitor for anomalous authentication patterns or privilege escalation attempts on affected systems
• Contact MEPSAN support for detailed remediation guidance if upgrade cannot be immediately applied

Evidence notes

CVE description confirms login function weakness enabling high-privileged account password generation. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H supports network attack vector with high confidentiality and availability impact. CPE criteria confirms affected versions are all releases prior to 3.0. USOM advisory TR-22-0269 provides third-party confirmation.

Official resources