#VU64683 Improper Enforcement of Behavioral Workflow in SEPCOS Single Package - CVE-2022-1667

Cybersecurity Help s.r.o.

Published: 2022-06-27

Vulnerability identifier: #VU64683

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-1667

CWE-ID: CWE-841

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SEPCOS Single Package
Hardware solutions / Firmware

Vendor: Sécheron

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper enforcement of behavioral workflow. A remote attacker can bypass client-side JavaScript controls by directly running a JS function to reboot the PLC or by loading the corresponding, browser accessible PHP script.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SEPCOS Single Package: before 1.23.21

External links
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Secheron SEPCOS Single Package