CVE-2022-33859 (GCVE-0-2022-33859)
Vulnerability from cvelistv5 – Published: 2022-10-28 01:15 – Updated: 2025-05-06 19:40
VLAI?
Summary
A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation’s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature.
This vulnerability is present in versions 4.x, 5.x, 6.x & 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported.
Customers are advised to update the software to the latest version (v7.6).
Foreseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please refer to the End-of-Support notification https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html .
Severity ?
8.1 (High)
CWE
- CWE-434 - Unrestricted Upload of File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eaton | Foreseer EPMS |
Affected:
7.0
Affected: 4.0 |
Credits
Michael
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:09:22.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html",
"tags": [
"x_transferred"
],
"url": "https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-33859",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T19:40:16.330230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:40:37.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Foreseer EPMS",
"vendor": "Eaton",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"status": "affected",
"version": "4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Michael"
}
],
"datePublic": "2022-12-13T12:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation\u2019s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. \u003cbr\u003e\u003cbr\u003eThis vulnerability is present in versions 4.x, 5.x, 6.x \u0026amp; 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. \u003cbr\u003e\u003cbr\u003eCustomers are advised to update the software to the latest version (v7.6).\u003cbr\u003e\u003cbr\u003eForeseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please\u0026nbsp;refer to the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html\"\u003eEnd-of-Support notification\u003c/a\u003e."
}
],
"value": "A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation\u2019s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. \n\nThis vulnerability is present in versions 4.x, 5.x, 6.x \u0026 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. \n\nCustomers are advised to update the software to the latest version (v7.6).\n\nForeseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please\u00a0refer to the End-of-Support notification https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-18T06:20:11.855Z",
"orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"shortName": "Eaton"
},
"references": [
{
"name": "https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html",
"url": "https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html"
}
],
"source": {
"advisory": "ETN",
"discovery": "EXTERNAL"
},
"title": "Unrestricted file upload in Eaton Foreseer EPMS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759",
"assignerShortName": "Eaton",
"cveId": "CVE-2022-33859",
"datePublished": "2022-10-28T01:15:03.902Z",
"dateReserved": "2022-06-15T00:00:00.000Z",
"dateUpdated": "2025-05-06T19:40:37.059Z",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eaton:foreseer_electrical_power_monitoring_system:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.0\", \"versionEndExcluding\": \"7.6\", \"matchCriteriaId\": \"DC1A434B-BDB3-44CF-8FB8-2DFD7F1C3DE9\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation\\u2019s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. \\n\\nThis vulnerability is present in versions 4.x, 5.x, 6.x \u0026 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. \\n\\nCustomers are advised to update the software to the latest version (v7.6).\\n\\nForeseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please\\u00a0refer to the End-of-Support notification https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html .\"}, {\"lang\": \"es\", \"value\": \"Se descubri\\u00f3 una vulnerabilidad de seguridad en el software Eaton Foreseer EPMS. Foreseer EPMS conecta la amplia gama de dispositivos de una operaci\\u00f3n para ayudar a reducir el consumo de energ\\u00eda y evitar tiempos de inactividad no planificados causados ??por fallas de sistemas cr\\u00edticos. Un actor de amenazas puede cargar archivos arbitrarios utilizando la funci\\u00f3n de carga de archivos. Esta vulnerabilidad est\\u00e1 presente en las versiones 4.x, 5.x, 6.x y 7.0 a 7.5. Eaton puso a disposici\\u00f3n una nueva versi\\u00f3n (v7.6) que contiene la soluci\\u00f3n y se proporcion\\u00f3 una mitigaci\\u00f3n para las versiones afectadas que son compatibles actualmente. Se recomienda a los clientes que actualicen el software a la \\u00faltima versi\\u00f3n (v7.6). Eaton ya no admite las versiones 4.x, 5.x y 6.x de Foreseer EPMS. Consulte la notificaci\\u00f3n de fin de soporte https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html.\"}]",
"id": "CVE-2022-33859",
"lastModified": "2024-11-21T07:08:29.430",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"CybersecurityCOE@eaton.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.5, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2022-10-28T02:15:17.343",
"references": "[{\"url\": \"https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html\", \"source\": \"CybersecurityCOE@eaton.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "CybersecurityCOE@eaton.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"CybersecurityCOE@eaton.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-434\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-434\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-33859\",\"sourceIdentifier\":\"CybersecurityCOE@eaton.com\",\"published\":\"2022-10-28T02:15:17.343\",\"lastModified\":\"2024-11-21T07:08:29.430\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation\u2019s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. \\n\\nThis vulnerability is present in versions 4.x, 5.x, 6.x \u0026 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. \\n\\nCustomers are advised to update the software to the latest version (v7.6).\\n\\nForeseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please\u00a0refer to the End-of-Support notification https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html .\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 una vulnerabilidad de seguridad en el software Eaton Foreseer EPMS. Foreseer EPMS conecta la amplia gama de dispositivos de una operaci\u00f3n para ayudar a reducir el consumo de energ\u00eda y evitar tiempos de inactividad no planificados causados ??por fallas de sistemas cr\u00edticos. Un actor de amenazas puede cargar archivos arbitrarios utilizando la funci\u00f3n de carga de archivos. Esta vulnerabilidad est\u00e1 presente en las versiones 4.x, 5.x, 6.x y 7.0 a 7.5. Eaton puso a disposici\u00f3n una nueva versi\u00f3n (v7.6) que contiene la soluci\u00f3n y se proporcion\u00f3 una mitigaci\u00f3n para las versiones afectadas que son compatibles actualmente. Se recomienda a los clientes que actualicen el software a la \u00faltima versi\u00f3n (v7.6). Eaton ya no admite las versiones 4.x, 5.x y 6.x de Foreseer EPMS. Consulte la notificaci\u00f3n de fin de soporte https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"CybersecurityCOE@eaton.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"CybersecurityCOE@eaton.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eaton:foreseer_electrical_power_monitoring_system:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0\",\"versionEndExcluding\":\"7.6\",\"matchCriteriaId\":\"DC1A434B-BDB3-44CF-8FB8-2DFD7F1C3DE9\"}]}]}],\"references\":[{\"url\":\"https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html\",\"source\":\"CybersecurityCOE@eaton.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html\", \"name\": \"https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T08:09:22.695Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-33859\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-06T19:40:16.330230Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-06T19:40:25.924Z\"}}], \"cna\": {\"title\": \"Unrestricted file upload in Eaton Foreseer EPMS\", \"source\": {\"advisory\": \"ETN\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Michael\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Eaton\", \"product\": \"Foreseer EPMS\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\"}, {\"status\": \"affected\", \"version\": \"4.0\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2022-12-13T12:48:00.000Z\", \"references\": [{\"url\": \"https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html\", \"name\": \"https://www.eaton.com/us/en-us/company/news-insights/cybersecurity/security-notifications.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation\\u2019s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. \\n\\nThis vulnerability is present in versions 4.x, 5.x, 6.x \u0026 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. \\n\\nCustomers are advised to update the software to the latest version (v7.6).\\n\\nForeseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please\\u00a0refer to the End-of-Support notification https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html .\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A security vulnerability was discovered in the Eaton Foreseer EPMS software. Foreseer EPMS connects an operation\\u2019s vast array of devices to assist in the reduction of energy consumption and avoid unplanned downtime caused by the failures of critical systems. A threat actor may upload arbitrary files using the file upload feature. \u003cbr\u003e\u003cbr\u003eThis vulnerability is present in versions 4.x, 5.x, 6.x \u0026amp; 7.0 to 7.5. A new version (v7.6) containing the remediation has been made available by Eaton and a mitigation has been provided for the affected versions that are currently supported. \u003cbr\u003e\u003cbr\u003eCustomers are advised to update the software to the latest version (v7.6).\u003cbr\u003e\u003cbr\u003eForeseer EPMS versions 4.x, 5.x, 6.x are no longer supported by Eaton. Please\u0026nbsp;refer to the \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.eaton.com/in/en-us/catalog/services/foreseer/foreseer-legacy.html\\\"\u003eEnd-of-Support notification\u003c/a\u003e.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434 Unrestricted Upload of File\"}]}], \"providerMetadata\": {\"orgId\": \"63703b7d-23e2-41ef-94b3-a3c6333f7759\", \"shortName\": \"Eaton\", \"dateUpdated\": \"2023-10-18T06:20:11.855Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-33859\", \"state\": \"PUBLISHED\", \"serial\": 1, \"dateUpdated\": \"2025-05-06T19:40:37.059Z\", \"dateReserved\": \"2022-06-15T00:00:00.000Z\", \"assignerOrgId\": \"63703b7d-23e2-41ef-94b3-a3c6333f7759\", \"datePublished\": \"2022-10-28T01:15:03.902Z\", \"assignerShortName\": \"Eaton\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…