Risk | High |
Patch available | YES |
Number of vulnerabilities | 7 |
CVE-ID | CVE-2022-25246 CVE-2022-25247 CVE-2022-25248 CVE-2022-25250 CVE-2022-25251 CVE-2022-25249 CVE-2022-25252 |
CWE-ID | CWE-798 CWE-306 CWE-200 CWE-22 CWE-703 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Axeda agent Other software / Other software solutions Axeda Desktop Server for Windows Other software / Other software solutions |
Vendor |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
EUVDB-ID: #VU61183
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25246
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code for UltraVNC installation. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAxeda agent: before 6.9.3 1051
Axeda Desktop Server for Windows: before 6.9 215
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-067-01
http://www.ptc.com/en/support/article/CS363561
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61184
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25247
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the affected product allows an attacker to send certain commands to a specific port without authentication. A remote attacker can obtain full file-system access and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAxeda agent: before 6.9.3 1051
Axeda Desktop Server for Windows: before 6.9 215
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-067-01
http://www.ptc.com/en/support/article/CS363561
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61185
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25248
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected product supplies the event log of the specific service when connecting to a certain port. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAxeda agent: before 6.9.3 1051
Axeda Desktop Server for Windows: before 6.9 215
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-067-01
http://www.ptc.com/en/support/article/CS363561
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61192
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25250
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the affected product may allow an attacker to send a certain command to a specific port without authentication. A remote attacker can shut down a specific service.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAxeda agent: before 6.9.3 1051
Axeda Desktop Server for Windows: before 6.9 215
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-067-01
http://www.ptc.com/en/support/article/CS363561
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61193
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25251
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the affected product may allow an attacker to send certain XML messages to a specific port without proper authentication. A remote attacker can read and modify the affected product’s configuration.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAxeda agent: before 6.9.3 1051
Axeda Desktop Server for Windows: before 6.9 215
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-067-01
http://www.ptc.com/en/support/article/CS363561
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61194
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25249
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsAxeda agent: before 6.9.3 1051
Axeda Desktop Server for Windows: before 6.9 215
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-067-01
http://www.ptc.com/en/support/article/CS363561
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU61195
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25252
CWE-ID:
CWE-703 - Improper Check or Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the affected product when receiving certain input throws an exception. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAxeda agent: before 6.9.3 1051
Axeda Desktop Server for Windows: before 6.9 215
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-067-01
http://www.ptc.com/en/support/article/CS363561
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.