CVE-2022-2474

Authentication is currently unsupported in Haas Controller version 100.20.000.1110 when using the Ethernet Q Commands service, which allows any user on the same network segment as the controller (even while connected remotely) to access the service and write unauthorized macros to the device.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
icscertCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
VendorProductVersion
haascnchaas_controller_firmware
100.20.000.1110
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-01
https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-01