CVE-2022-2336
Softing Secure Integration Server Improper Authentication
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Softing Secure Integration Server, edgeConnector, and edgeAggregator software ships with the default administrator credentials as `admin` and password as `admin`. This allows Softing to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the `admin` password. There is no warning or prompt to ask the user to change the default password, and to change the password, many steps are required.
Softing Secure Integration Server, edgeConnector y edgeAggregator son enviados con las credenciales de administrador por defecto como "admin" y la contraseña como "admin". Esto permite a Softing iniciar sesión en el servidor directamente para llevar a cabo funciones administrativas. Tras la instalación o el primer inicio de sesión, la aplicación no pide al usuario que cambie la contraseña "admin". No se presenta ninguna advertencia o aviso para pedir al usuario que cambie la contraseña por defecto, y para cambiar la contraseña, son requeridos muchos pasos.
This vulnerability allows remote attackers to bypass authentication on affected installations of Softing Secure Integration Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the default configuration of user accounts. The configuration contains hard-coded credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the Administrator.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-06 CVE Reserved
- 2022-08-17 CVE Published
- 2024-03-09 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-6.html | 2022-08-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Softing Search vendor "Softing" | Edgeaggregator Search vendor "Softing" for product "Edgeaggregator" | 3.1 Search vendor "Softing" for product "Edgeaggregator" and version "3.1" | - |
Affected
| ||||||
| Softing Search vendor "Softing" | Edgeconnector Search vendor "Softing" for product "Edgeconnector" | 3.1 Search vendor "Softing" for product "Edgeconnector" and version "3.1" | - |
Affected
| ||||||
| Softing Search vendor "Softing" | Opc Search vendor "Softing" for product "Opc" | 5.2 Search vendor "Softing" for product "Opc" and version "5.2" | - |
Affected
| ||||||
| Softing Search vendor "Softing" | Opc Ua C\+\+ Software Development Kit Search vendor "Softing" for product "Opc Ua C\+\+ Software Development Kit" | 6 Search vendor "Softing" for product "Opc Ua C\+\+ Software Development Kit" and version "6" | - |
Affected
| ||||||
| Softing Search vendor "Softing" | Secure Integration Server Search vendor "Softing" for product "Secure Integration Server" | 1.22 Search vendor "Softing" for product "Secure Integration Server" and version "1.22" | - |
Affected
| ||||||
| Softing Search vendor "Softing" | Uagates Search vendor "Softing" for product "Uagates" | 1.74 Search vendor "Softing" for product "Uagates" and version "1.74" | - |
Affected
| ||||||