CVE-2022-30318 — CRITICAL (9.8)

Q: How severe is CVE-2022-30318?

CVE-2022-30318 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-30318?

Check the references section above for vendor advisories and patch information. Affected products include: Honeywell Controledge Plc Firmware, Honeywell Controledge Plc, Honeywell Controledge Rtu Firmware, Honeywell Controledge Rtu.

Vulnerability Description

Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. According to FSCT-2022-0056, there is a Honeywell ControlEdge hardcoded credentials issue. The affected components are characterized as: SSH. The potential impact is: Remote code execution, manipulate configuration, denial of service. The Honeywell ControlEdge PLC and RTU product line exposes an SSH service on port 22/TCP. Login as root to this service is permitted and credentials for the root user are hardcoded without automatically changing them upon first commissioning. The credentials for the SSH service are hardcoded in the firmware. The credentials grant an attacker access to a root shell on the PLC/RTU, allowing for remote code execution, configuration manipulation and denial of service.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Honeywell	Controledge Plc Firmware	< r151.2
Honeywell	Controledge Plc	-
Honeywell	Controledge Rtu Firmware	< r151.2
Honeywell	Controledge Rtu	-

Related Weaknesses (CWE)

CWE-798

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-06Third Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Not Applicable
https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-06Third Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Not Applicable

FAQ

What is CVE-2022-30318?

CVE-2022-30318 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. According to FSCT-2022-0056, there is a Honeywell ControlEdge hardcoded credentials issue. The affected components are characterized a...

How severe is CVE-2022-30318?

CVE-2022-30318 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-30318?

Check the references section above for vendor advisories and patch information. Affected products include: Honeywell Controledge Plc Firmware, Honeywell Controledge Plc, Honeywell Controledge Rtu Firmware, Honeywell Controledge Rtu.