Improper Authentication in Softing AG products - CVE-2022-2336

 

Improper Authentication in Softing AG products - CVE-2022-2336

Published: August 24, 2022 / Updated: August 24, 2022


Vulnerability identifier: #VU66739
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-2336
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Softing AG
Affected software:
Secure Integration Server
edgeConnector
edgeAggregator

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the affected software ships with the default administrator credentials as "admin" and password as "admin" and does not ask the user to change the password. A remote attacker can bypass authentication process and gain unauthorized access to the application.


How to mitigate CVE-2022-2336

Install updates from vendor's website.

Sources