CVE-2022-2105

Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.4 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
secheronsepcos_control_and_protection_relay_firmware
1.23.0 ≤
𝑥
< 1.23.21
secheronsepcos_control_and_protection_relay_firmware
1.24.0 ≤
𝑥
< 1.24.8
secheronsepcos_control_and_protection_relay_firmware
1.25.0 ≤
𝑥
< 1.25.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03