The reason I ask is that I read this on your website about the software: "Originally developed as HMI/SCADA software, the entire zenon software platform covers significantly more application areas.".
Open Automation Software Platform (OAS), released by Cisco Talos [1]. Out of
the eight assessed vulnerabilities, two (namely CVE-2022-26082 and
CVE-2022-26833) have received a CVSS score of 9.1 and 9.4. These
vulnerabilities affect all OAS software prior to 16.00.0112.
The most critical one, CVE-2022-26833, allows unauthenticated use of the REST
API by sending specially crafted HTTP requests. The attacker is able to
authenticate themselves using blank credentials sent to the vulnerable
endpoint, and upon receiving a client ID as well as a functioning token, send
requests to the REST API [2].
CVE-2022-26082, with a CVSS score of 9.1, lets an attacker execute arbitrary
code on the targeted OAS platform. With a series of configuration messages, the
threat actor can upload a file of their choice to the underlying system, as
permissible by the 'oas-engine' service owner user [3].
Other listed vulnerabilities are said to assist in information disclosure
(CVE-2022-26007, CVE-2022-27169 & CVE-2022-26067), arbitrary configuration
changes (CVE-2022-26303 & CVE-2022-26043) and Denial of Service
(CVE-2022-26026).
This is a migrated post! Originally posted on 01.06.2022 by user curiousgeorge. Please be aware that information can be outdated.