exploitDog

CVE-2022-36385

Опубликовано: 13 сент. 2022

Источник: nvd

CVSS3: 6.8

EPSS Низкий

Описание

A threat actor with momentary access to the device can plug in a USB drive and perform a malicious firmware update, resulting in permanent changes to device functionality. No authentication or controls are in place to prevent a threat actor from maliciously modifying firmware and performing a drive-by attack to load the firmware on any CMS8000 device.

Ссылки

https://www.cisa.gov/uscert/ics/advisories/icsma-22-244-01
Mitigation
Third Party Advisory
US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsma-22-244-01
Mitigation
Third Party Advisory
US Government Resource

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:contechealth:cms8000_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:contechealth:cms8000:-:*:*:*:*:*:*:*

EPSS

Процентиль: 22%

0.00071

Низкий

6.8 Medium

CVSS3

Дефекты

CWE-284

NVD-CWE-noinfo

Связанные уязвимости

GHSA-gvx4-5vjq-6x82

CVSS3: 6.8

github

больше 3 лет назад

A threat actor with momentary access to the device can plug in a USB drive and perform a malicious firmware update, resulting in permanent changes to device functionality. No authentication or controls are in place to prevent a threat actor from maliciously modifying firmware and performing a drive-by attack to load the firmware on any CMS8000 device.

EPSS

Процентиль: 22%

0.00071

Низкий

6.8 Medium

CVSS3

Дефекты

CWE-284

NVD-CWE-noinfo