Vulnerability Details : CVE-2022-29898
On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the configuration file uploader in the WebUI to execute arbitrary code with root privileges on the OS due to an improper validation of an integrity check value in all versions of the firmware.
Vulnerability category: Execute code
Products affected by CVE-2022-29898
- cpe:2.3:o:phoenixcontact:rad-ism-900-en-bd_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:rad-ism-900-en-bd\/b_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:phoenixcontact:rad-ism-900-en-bd-bus_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29898
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29898
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
CERT VDE |
CWE ids for CVE-2022-29898
-
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Assigned by: info@cert.vde.com (Primary)
References for CVE-2022-29898
-
https://cert.vde.com/en/advisories/VDE-2022-018/
VDE-2022-018 | CERT@VDEVendor Advisory
Jump to