Vulnerability Details : CVE-2022-30243
Honeywell Alerton Visual Logic through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be stored on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.
Vulnerability category: File inclusion
Products affected by CVE-2022-30243
- cpe:2.3:o:honeywell:alterton_visual_logic_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-30243
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-30243
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2022-30243
-
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-30243
-
https://blog.scadafence.com
SCADAfence BlogNot Applicable
-
https://github.com/scadafence/Honeywell-Alerton-Vulnerabilities
GitHub - scadafence/Honeywell-Alerton-Vulnerabilities: Alerton Ascent Control Module (ACM) & Alerton Visual Logic vulnerabilitiesThird Party Advisory
-
https://www.honeywell.com/us/en/product-security
Access DeniedVendor Advisory
Jump to