VDE-2026-003
Vulnerability from csaf_endresshauserag - Published: 2026-03-31 08:00 - Updated: 2026-04-01 11:00Summary
Endress+Hauser: Multiple products prone to multiple vulnerabilities in e!Runtime and CODESYS V3 Runtime
Severity
High
Notes
Summary: Multiple Endress+Hauser devices are prone to vulnerabilities found in e!Runtime and the CODESYS V3 framework.
Impact: An external attacker could exploit the vulnerabilities to cause denial-of-service, overwrite memory, or execute arbitrary code.
Mitigation: The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Remediation: Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version
For support, please contact your local service center.
| Product | Fixed Version |
|--------|--------------|
| CC 100 (751-9301) | FW 28 |
| PFC 200 (750-82xx/xxx-xxx) | FW 28 |
| CDC 90 | V3.5.19.0 |
General Recommendation: Endress+Hauser recommends using the solutions only in a secure environment and to allow access to their components only to authorized persons.
Multiple CODESYS products in multiple versions are prone to a improper input validation vulnerability. An authenticated remote attacker may craft specific requests that use the vulnerability leading to a denial-of-service condition.
6.5 (Medium)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into memory which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpAppForce Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
8.8 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
In multiple CODESYS products in multiple versions an unauthorized, remote attacker may use a improper input validation vulnerability to read from invalid addresses leading to a denial of service.
7.5 (High)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a improper input validation vulnerability in the CmpApp/CmpAppBP/CmpAppForce Components of multiple CODESYS products in multiple versions to read from an invalid address which can lead to a denial-of-service condition.
6.5 (Medium)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple versions of multiple CODESYS products to force a denial-of-service situation.
6.5 (Medium)
Mitigation
The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities.
For the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.
Vendor Fix
Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected.
For the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO's security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "high"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "Multiple Endress+Hauser devices are prone to vulnerabilities found in e!Runtime and the CODESYS V3 framework. ",
"title": "Summary"
},
{
"category": "description",
"text": "An external attacker could exploit the vulnerabilities to cause denial-of-service, overwrite memory, or execute arbitrary code. ",
"title": "Impact"
},
{
"category": "description",
"text": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities. ",
"title": "Mitigation"
},
{
"category": "description",
"text": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version \n\nFor support, please contact your local service center.\n\n| Product | Fixed Version |\n|--------|--------------|\n| CC 100 (751-9301) | FW 28 |\n| PFC 200 (750-82xx/xxx-xxx) | FW 28 |\n| CDC 90 | V3.5.19.0 |",
"title": "Remediation"
},
{
"category": "general",
"text": "Endress+Hauser recommends using the solutions only in a secure environment and to allow access to their components only to authorized persons. ",
"title": "General Recommendation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@endress.com",
"name": "Endress+Hauser AG",
"namespace": "https://www.endress.com"
},
"references": [
{
"category": "external",
"summary": "Endress+Hauser",
"url": "https://www.endress.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Endress+Hauser",
"url": "https://certvde.com/en/advisories/vendor/endress+hauser"
},
{
"category": "self",
"summary": "VDE-2026-003: Endress+Hauser: Multiple products prone to multiple vulnerabilities in e!Runtime and CODESYS V3 Runtime - HTML",
"url": "https://certvde.com/en/advisories/VDE-2026-003"
},
{
"category": "self",
"summary": "VDE-2026-003: Endress+Hauser: Multiple products prone to multiple vulnerabilities in e!Runtime and CODESYS V3 Runtime - CSAF",
"url": "https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-003.json"
}
],
"title": "Endress+Hauser: Multiple products prone to multiple vulnerabilities in e!Runtime and CODESYS V3 Runtime ",
"tracking": {
"aliases": [
"VDE-2026-003"
],
"current_release_date": "2026-04-01T11:00:00.000Z",
"generator": {
"date": "2026-04-01T10:32:14.211Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.44"
}
},
"id": "VDE-2026-003",
"initial_release_date": "2026-03-31T08:00:00.000Z",
"revision_history": [
{
"date": "2026-03-31T08:00:00.000Z",
"number": "1.0.0",
"summary": "Initial version"
},
{
"date": "2026-04-01T11:00:00.000Z",
"number": "1.0.1",
"summary": "Edited a typo in product tree."
}
],
"status": "final",
"version": "1.0.1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CC 100 (751-9301) ",
"product": {
"name": "Endress+Hauser CC 100 (751-9301) ",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"cpe": "cpe:2.3:h:wago:cc_100:*:*:*:*:*:*:*:*",
"model_numbers": [
"751-9301"
]
}
}
},
{
"category": "product_name",
"name": "PFC 200 (750-82xx/xxx-xxx) ",
"product": {
"name": "Endress+Hauser PFC 200 (750-82xx/xxx-xxx) ",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"cpe": "cpe:2.3:h:wago:pfc_200:*:*:*:*:*:*:*:*",
"model_numbers": [
"750-82??"
]
}
}
},
{
"category": "product_name",
"name": "CDC 90 ",
"product": {
"name": "Endress+Hauser CDC 90 ",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"cpe": "cpe:2.3:h:wago:cdc_90:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version",
"name": "FW 25",
"product": {
"name": "Firmware FW 25",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "FW 28",
"product": {
"name": "Firmware FW 28",
"product_id": "CSAFPID-22001"
}
},
{
"category": "product_version_range",
"name": "vers:generic/\u003c=FW 25",
"product": {
"name": "Firmware \u003c=FW 25",
"product_id": "CSAFPID-21002"
}
},
{
"category": "product_version",
"name": "V3.5.18.0 ",
"product": {
"name": "Firmware V3.5.18.0 ",
"product_id": "CSAFPID-21003"
}
},
{
"category": "product_version",
"name": "V3.5.19.0 ",
"product": {
"name": "Firmware V3.5.19.0 ",
"product_id": "CSAFPID-22002"
}
},
{
"category": "product_version_range",
"name": "vers:generic/\u003c=V3.5.18.0",
"product": {
"name": "Firmware \u003c=V3.5.18.0",
"product_id": "CSAFPID-21004"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "Endress+Hauser"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"summary": "Affected Products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"summary": "Fixed Products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware FW 23 installed on CC 100 (751-9301) ",
"product_id": "CSAFPID-31001",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:cc_100_firmware:fw23:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware FW 28 installed on CC 100 (751-9301) ",
"product_id": "CSAFPID-32001",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:cc_100_firmware:fw28:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware FW 23 installed on PFC 200 (750-82xx/xxx-xxx) ",
"product_id": "CSAFPID-31002",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:pfc_200_firmware:fw23:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware FW 28 installed on PFC 200 (750-82xx/xxx-xxx) ",
"product_id": "CSAFPID-32002",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:pfc_200_firmware:fw28:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW 23 installed on CC 100 (751-9301) ",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW 23 installed on PFC 200 (750-82xx/xxx-xxx) ",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware V3.5.18.0 installed on CDC 90",
"product_id": "CSAFPID-31005",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:cdc_90_firmware:v3.5.18.0:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware V3.5.19.0 installed on CDC 90",
"product_id": "CSAFPID-32003",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:cdc_90_firmware:v3.5.19.0:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=V3.5.18.0 installed on CDC 90",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21004",
"relates_to_product_reference": "CSAFPID-11003"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-47378",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "Multiple CODESYS products in multiple versions are prone to a improper input validation vulnerability. An authenticated remote attacker may craft specific requests that use the vulnerability leading to a denial-of-service condition.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47378"
},
{
"cve": "CVE-2022-47379",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into memory which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47379"
},
{
"cve": "CVE-2022-47380",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47380"
},
{
"cve": "CVE-2022-47381",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47381"
},
{
"cve": "CVE-2022-47382",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47382"
},
{
"cve": "CVE-2022-47383",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47383"
},
{
"cve": "CVE-2022-47384",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47384"
},
{
"cve": "CVE-2022-47385",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpAppForce Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47385"
},
{
"cve": "CVE-2022-47386",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47386"
},
{
"cve": "CVE-2022-47387",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47387"
},
{
"cve": "CVE-2022-47388",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47388"
},
{
"cve": "CVE-2022-47389",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47389"
},
{
"cve": "CVE-2022-47390",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a stack based out-of-bounds write vulnerability in the CmpTraceMgr Component of multiple CODESYS products in multiple versions to write data into the stack which can lead to a denial-of-service condition, memory overwriting, or remote code execution.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47390"
},
{
"cve": "CVE-2022-47391",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "In multiple CODESYS products in multiple versions an unauthorized, remote attacker may use a improper input validation vulnerability to read from invalid addresses leading to a denial of service.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47391"
},
{
"cve": "CVE-2022-47392",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a improper input validation vulnerability in the CmpApp/CmpAppBP/CmpAppForce Components of multiple CODESYS products in multiple versions to read from an invalid address which can lead to a denial-of-service condition.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47392"
},
{
"cve": "CVE-2022-47393",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "An authenticated, remote attacker may use a Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple versions of multiple CODESYS products to force a denial-of-service situation.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31005"
]
},
"remediations": [
{
"category": "mitigation",
"details": "The CDC 90 device is not designed for network connectivity by default. Since it is not connected to a network, the vulnerabilities cannot be exploited. However, if the customer chooses to connect the device to a network, the default firewall settings should be maintained, as this will mitigate the security vulnerabilities. \n\n \n\nFor the CC 100 and PFC 200 devices, ensure that the default firewall settings remain intact and that both PLC Runtime and PLC WebVisu are disabled. This configuration effectively mitigates the identified security vulnerabilities.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Although the CDC 90 device is typically not connected to a network, making exploitation of the vulnerabilities unlikely, Endress+Hauser has provided an update to eliminate the vulnerabilities should the device be connected. \n\n \n\nFor the CC 100 and PFC 200 devices, Endress+Hauser provides updated firmware that incorporates WAGO\u0027s security fixes for the identified vulnerabilities. Customers are advised to update to the latest version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006"
]
}
],
"title": "CVE-2022-47393"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…