CVE-2022-2788
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.
Emerson Electrics Proficy Machine Edition versiones 9.80 y anteriores, es vulnerable a CWE-29 Salto de Ruta: '\..\Filename", también se conoce como ataque ZipSlip, mediante un procedimiento de carga que permite a atacantes implantar un archivo .BLZ malicioso en el PLC. El archivo puede transferirse mediante la estación de ingeniería a Windows de forma que sea ejecutado el código malicioso.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-08-11 CVE Reserved
- 2022-08-19 CVE Published
- 2024-03-11 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-29: Path Traversal: '\..\filename'
CAPEC
References (1)
URL | Tag | Source |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06 | Mitigation |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Emerson Search vendor "Emerson" | Electric\'s Proficy Search vendor "Emerson" for product "Electric\'s Proficy" | <= 9.80 Search vendor "Emerson" for product "Electric\'s Proficy" and version " <= 9.80" | machine |
Affected
|