Search criteria
1 vulnerability by LS Industrial Systems (LSIS) Co. Ltd LS Electric
CVE-2022-2758 (GCVE-0-2022-2758)
Vulnerability from cvelistv5 – Published: 2022-08-31 15:33 – Updated: 2025-04-16 16:11
VLAI?
Title
Update
Summary
Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC’s communication traffic.
Severity ?
6.5 (Medium)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| LS Industrial Systems (LSIS) Co. Ltd LS Electric | XG5000 |
Affected:
All versions , < V4.0
(custom)
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
Credits
Hong-Gi Kin of the Korea Internet & Security Agency (KISA) reported this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:50:15.763986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:11:29.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "XG5000",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGB-XECH",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V1.30",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGB-XBCH",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V1.90",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGB-XBMS",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V3.00",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGR-CPUH",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V1.80",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGI-CPUU/UD/H/S/E",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V3.20",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGK-CPUU/H/A/S/E",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V3.50",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Hong-Gi Kin of the Korea Internet \u0026 Security Agency (KISA) reported this vulnerability."
}
],
"datePublic": "2022-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC\u2019s communication traffic."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-14T00:00:00.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-02"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Update",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-2758",
"datePublished": "2022-08-31T15:33:03.944Z",
"dateReserved": "2022-08-10T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:11:29.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}