Vulnerability Details CVE-2022-30269
Motorola ACE1000 RTUs through 2022-05-02 mishandle application integrity. They allow for custom application installation via either STS software, the C toolkit, or the ACE1000 Easy Configurator. In the case of the Easy Configurator, application images (as PLX/DAT/APP/CRC files) are uploaded via the Web UI. In case of the C toolkit, they are transferred and installed using SFTP/SSH. In each case, application images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.4%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2022-30269
-
cpe:2.3:h:motorola:ace1000:-
-
cpe:2.3:o:motorola:ace1000_firmware:-