CVE-2021-40825: nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a chang...

Description

nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.

Metrics

CVSS 3.1

8.6/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

EPSS Probability

1.09%

61.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-1188

Affected Software

Vendor	Product	Versions
Acuitybrands	Nlight Eclypse System Controller Firmware	< 1.17.21245.754

References

https://insights.acuitybrands.com/psirt-blog-2369078/nlight-eclypse-default-key-vulnerabiliyVendor Advisory
https://www.acuitybrands.com/products/detail/588952/nlight/necy-system-controller/nlight-eclypset-system-controllerProduct, Vendor Advisory
https://insights.acuitybrands.com/psirt-blog-2369078/nlight-eclypse-default-key-vulnerabiliyVendor Advisory
https://www.acuitybrands.com/products/detail/588952/nlight/necy-system-controller/nlight-eclypset-system-controllerProduct, Vendor Advisory

Timeline

Published: Sep 17, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-40825?

nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.

How severe is CVE-2021-40825?

CVE-2021-40825 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 1.09% probability of exploitation in the next 30 days.

How do I fix CVE-2021-40825?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.