CVE Vulnerability

CVE-2022-2758

Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC’s communication traffic.

5.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-02 Third Party Advisory US Government Resource
Configurations

Configuration 1

cpe:2.3:a:ls-electric:xg5000:*:*:*:*:*:*:*:*
Information

Published : 2022-08-31 04:15

Updated : 2022-11-14 10:15

NVD link : CVE-2022-2758

Mitre link : CVE-2022-2758

Products Affected

Ls-electric

Xbc-dn30su Firmware

CWE
CWE-326

Inadequate Encryption Strength