Strix
26.1K

CVE-2021-20107

MEDIUMCVSS 5.4/10EPSS 0.54%

Last modified

CVE-2021-20107 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. There exists an unauthenticated BLE Interface in Sloan SmartFaucets including Optima EAF, Optima ETF/EBF, BASYS EFX, and Flushometers including SOLIS. The vulnerability allows for unauthenticated kinetic effects and information disclosure on the faucets. EPSS estimates a 0.54% chance of exploitation in the next 30 days.

Description

There exists an unauthenticated BLE Interface in Sloan SmartFaucets including Optima EAF, Optima ETF/EBF, BASYS EFX, and Flushometers including SOLIS. The vulnerability allows for unauthenticated kinetic effects and information disclosure on the faucets. It is possible to use the Bluetooth Low Energy (BLE) connectivity to read and write to many BLE characteristics on the device. Some of these control the flow of water, the sensitivity of the sensors, and information about maintenance.

Metrics

CVSS 3.1
5.4/10

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Probability
0.54%

41.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SloanOptima Eaf-100 FirmwareAll versions
SloanOptima Eaf-150 FirmwareAll versions
SloanOptima Eaf-200 FirmwareAll versions
SloanOptima Eaf-225 FirmwareAll versions
SloanOptima Eaf-250 FirmwareAll versions
SloanOptima Eaf-275 FirmwareAll versions
SloanOptima Eaf-350 FirmwareAll versions
SloanOptima Eaf-700 FirmwareAll versions
SloanOptima Eaf-750 FirmwareAll versions
SloanOptima Ebf-187 FirmwareAll versions
SloanOptima Ebf-415 FirmwareAll versions
SloanOptima Ebf-425 FirmwareAll versions
SloanOptima Ebf-550 FirmwareAll versions
SloanOptima Ebf-615 FirmwareAll versions
SloanOptima Ebf-650 FirmwareAll versions
SloanOptima Ebf-665 FirmwareAll versions
SloanOptima Ebf-750 FirmwareAll versions
SloanOptima Ebf-775 FirmwareAll versions
SloanOptima Ebf-85 FirmwareAll versions
SloanOptima Ebf-850 FirmwareAll versions
SloanOptima Etf-610 FirmwareAll versions
SloanOptima Etf-600 FirmwareAll versions
SloanOptima Etf-410 FirmwareAll versions
SloanOptima Etf-420 FirmwareAll versions
SloanOptima Etf-500 FirmwareAll versions
SloanOptima Etf-660 FirmwareAll versions
SloanOptima Etf-700 FirmwareAll versions
SloanOptima Etf-770 FirmwareAll versions
SloanOptima Etf-80 FirmwareAll versions
SloanOptima Etf-800 FirmwareAll versions
SloanOptima Etf-880 FirmwareAll versions
SloanBasys Efx-300 FirmwareAll versions
SloanBasys Efx-350 FirmwareAll versions
SloanBasys Efx-375 FirmwareAll versions
SloanBasys Efx-377 FirmwareAll versions
SloanBasys Efx-380 FirmwareAll versions
SloanBasys Efx-600 FirmwareAll versions
SloanBasys Efx-650 FirmwareAll versions
SloanBasys Efx-675 FirmwareAll versions
SloanBasys Efx-677 FirmwareAll versions
SloanBasys Efx-680 FirmwareAll versions
SloanBasys Efx-200 FirmwareAll versions
SloanBasys Efx-250 FirmwareAll versions
SloanBasys Efx-275 FirmwareAll versions
SloanBasys Efx-277 FirmwareAll versions
SloanBasys Efx-280 FirmwareAll versions
SloanBasys Efx-100 FirmwareAll versions
SloanBasys Efx-150 FirmwareAll versions
SloanBasys Efx-175 FirmwareAll versions
SloanBasys Efx-177 FirmwareAll versions

Showing 50 of 71 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-20107?
There exists an unauthenticated BLE Interface in Sloan SmartFaucets including Optima EAF, Optima ETF/EBF, BASYS EFX, and Flushometers including SOLIS. The vulnerability allows for unauthenticated kinetic effects and information disclosure on the faucets. It is possible to use the Bluetooth Low Energy (BLE) connectivity to read and write to many BLE characteristics on the device. Some of these control the flow of water, the sensitivity of the sensors, and information about maintenance.
How severe is CVE-2021-20107?
CVE-2021-20107 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.54% probability of exploitation in the next 30 days.
How do I fix CVE-2021-20107?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-20107?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST