Inadequate Encryption Strength in LS ELECTRIC PLC and XG5000
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-2758 |
| CWE-ID | CWE-326 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
LS Electric PLC Hardware solutions / Firmware XG5000 Hardware solutions / Firmware |
| Vendor | LS Electric |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Inadequate Encryption Strength
EUVDB-ID: #VU66585
Risk: Medium
CVSSv3.1: 6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-2758
CWE-ID:
CWE-326 - Inadequate Encryption Strength
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the passwords are not adequately encrypted during the communication process between the XG5000 software and the affected PLC. A remote attacker can identify and decrypt the affected PLC’s password by sniffing the traffic.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsLS Electric PLC: All versions
XG5000: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-228-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
