CVE-2022-23450
CVE-2022-23450
In short
A flaw in SIMATIC Energy Manager allows attackers to send specially crafted files that trick the software into running malicious code with full system privileges, without needing a password.
Technical detail
The vulnerability stems from insecure deserialization (CWE-502) of untrusted serialized objects. An unauthenticated remote attacker can craft and transmit a malicious serialized payload to trigger arbitrary code execution with SYSTEM-level privileges on affected versions before V7.3 Update 1.
Summary generated and translated by AI from the official description.
A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →