Vulnerability Description
The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. An attacker could provide malicious serialized objects which, when deserialized, could activate an opcode for a backup scheduling function without authentication. This function allows the user to designate all function arguments and the file to be executed. This could allow the attacker to start any new process and achieve remote code execution.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deltaww | Infrasuite Device Master | < 00.00.02a |
Related Weaknesses (CWE)
References
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-07PatchThird Party AdvisoryUS Government Resource
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-07PatchThird Party AdvisoryUS Government Resource
FAQ
What is CVE-2022-40202?
CVE-2022-40202 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. An attacker could provide malicious serialized objects which, when...
How severe is CVE-2022-40202?
CVE-2022-40202 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-40202?
Check the references section above for vendor advisories and patch information. Affected products include: Deltaww Infrasuite Device Master.