Search criteria
31 vulnerabilities by emerson
CVE-2022-50930 (GCVE-0-2022-50930)
Vulnerability from cvelistv5 – Published: 2026-01-13 22:51 – Updated: 2026-01-14 15:29
VLAI?
Title
Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path
Summary
Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup.
Severity ?
CWE
- CWE-428 - Unquoted Search Path or Element
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | Emerson PAC Machine Edition |
Affected:
9.80
|
Credits
Luis Martinez
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50930",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T15:29:44.423568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T15:29:51.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Emerson PAC Machine Edition",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "9.80"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luis Martinez"
}
],
"datePublic": "2022-02-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T22:51:58.910Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-50745",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50745"
},
{
"name": "Emerson Official Homepage",
"tags": [
"product"
],
"url": "https://www.emerson.com/en-us"
},
{
"name": "Software Download Link",
"tags": [
"product"
],
"url": "https://www.opertek.com/descargar-software/?prc=_326"
},
{
"name": "VulnCheck Advisory: Emerson PAC Machine Edition 9.80 Build 8695 - \u0027TrapiServer\u0027 Unquoted Service Path",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/emerson-pac-machine-edition-build-trapiserver-unquoted-service-path"
}
],
"title": "Emerson PAC Machine Edition 9.80 Build 8695 - \u0027TrapiServer\u0027 Unquoted Service Path",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50930",
"datePublished": "2026-01-13T22:51:58.910Z",
"dateReserved": "2026-01-11T13:34:26.328Z",
"dateUpdated": "2026-01-14T15:29:51.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53471 (GCVE-0-2025-53471)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:45 – Updated: 2025-07-11 13:29
VLAI?
Title
Emerson ValveLink Products Improper Input Validation
Summary
Emerson ValveLink products
receive input or data, but it do not validate or incorrectly
validates that the input has the properties that are required to process
the data safely and correctly.
Severity ?
5.1 (Medium)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | ValveLink SOLO |
Affected:
0 , < ValveLink 14.0
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Emerson reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:05.416717Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:12.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ValveLink SOLO",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink DTM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink PRM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink SNAP-ON",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Emerson reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson ValveLink products \nreceive input or data, but it do not validate or incorrectly \nvalidates that the input has the properties that are required to process\n the data safely and correctly."
}
],
"value": "Emerson ValveLink products \nreceive input or data, but it do not validate or incorrectly \nvalidates that the input has the properties that are required to process\n the data safely and correctly."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:45:39.592Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01"
},
{
"url": "https://www.emerson.com/en-us/support/security-notifications"
},
{
"url": "https://www.emerson.com/en-us/support/software-downloads-drivers"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/software-downloads-drivers\"\u003ewebsite\u003c/a\u003e\u0026nbsp;.\u003cp\u003eFor more information see the associated \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson security notification.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson website https://www.emerson.com/en-us/support/software-downloads-drivers \u00a0.For more information see the associated Emerson security notification. https://www.emerson.com/en-us/support/security-notifications"
}
],
"source": {
"advisory": "ICSA-25-189-01",
"discovery": "INTERNAL"
},
"title": "Emerson ValveLink Products Improper Input Validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53471",
"datePublished": "2025-07-10T23:45:39.592Z",
"dateReserved": "2025-06-30T14:34:56.244Z",
"dateUpdated": "2025-07-11T13:29:12.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48496 (GCVE-0-2025-48496)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:43 – Updated: 2025-07-11 13:54
VLAI?
Title
Emerson ValveLink Products Uncontrolled Search Path Element
Summary
Emerson ValveLink products
use a fixed or controlled search path to find resources, but one or
more locations in that path can be under the control of unintended
actors.
Severity ?
5.1 (Medium)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | ValveLink SOLO |
Affected:
0 , < ValveLink 14.0
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Emerson reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:53:53.258810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:54:00.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ValveLink SOLO",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink DTM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink PRM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink SNAP-ON",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Emerson reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson ValveLink products \nuse a fixed or controlled search path to find resources, but one or \nmore locations in that path can be under the control of unintended \nactors."
}
],
"value": "Emerson ValveLink products \nuse a fixed or controlled search path to find resources, but one or \nmore locations in that path can be under the control of unintended \nactors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:43:33.592Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01"
},
{
"url": "https://www.emerson.com/en-us/support/security-notifications"
},
{
"url": "https://www.emerson.com/en-us/support/software-downloads-drivers"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/software-downloads-drivers\"\u003ewebsite\u003c/a\u003e\u0026nbsp;.\u003cp\u003eFor more information see the associated \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson security notification.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson website https://www.emerson.com/en-us/support/software-downloads-drivers \u00a0.For more information see the associated Emerson security notification. https://www.emerson.com/en-us/support/security-notifications"
}
],
"source": {
"advisory": "ICSA-25-189-01",
"discovery": "INTERNAL"
},
"title": "Emerson ValveLink Products Uncontrolled Search Path Element",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-48496",
"datePublished": "2025-07-10T23:43:33.592Z",
"dateReserved": "2025-06-30T14:34:56.236Z",
"dateUpdated": "2025-07-11T13:54:00.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46358 (GCVE-0-2025-46358)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:41 – Updated: 2025-07-11 13:54
VLAI?
Title
Emerson ValveLink Products Protection Mechanism Failure
Summary
Emerson ValveLink products
do not use or incorrectly uses a protection mechanism that provides
sufficient defense against directed attacks against the product.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | ValveLink SOLO |
Affected:
0 , < ValveLink 14.0
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Emerson reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:54:19.712968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:54:26.695Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ValveLink SOLO",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink DTM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink PRM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink SNAP-ON",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Emerson reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson ValveLink products \ndo not use or incorrectly uses a protection mechanism that provides \nsufficient defense against directed attacks against the product."
}
],
"value": "Emerson ValveLink products \ndo not use or incorrectly uses a protection mechanism that provides \nsufficient defense against directed attacks against the product."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:41:25.965Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01"
},
{
"url": "https://www.emerson.com/en-us/support/security-notifications"
},
{
"url": "https://www.emerson.com/en-us/support/software-downloads-drivers"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/software-downloads-drivers\"\u003ewebsite\u003c/a\u003e\u0026nbsp;.\u003cp\u003eFor more information see the associated \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson security notification.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson website https://www.emerson.com/en-us/support/software-downloads-drivers \u00a0.For more information see the associated Emerson security notification. https://www.emerson.com/en-us/support/security-notifications"
}
],
"source": {
"advisory": "ICSA-25-189-01",
"discovery": "INTERNAL"
},
"title": "Emerson ValveLink Products Protection Mechanism Failure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-46358",
"datePublished": "2025-07-10T23:41:25.965Z",
"dateReserved": "2025-06-30T14:34:56.228Z",
"dateUpdated": "2025-07-11T13:54:26.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50109 (GCVE-0-2025-50109)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:39 – Updated: 2025-07-11 13:54
VLAI?
Title
Emerson ValveLink Products Cleartext Storage of Sensitive Information in Memory
Summary
Emerson ValveLink Products store
sensitive information in cleartext within a resource that might be accessible to another control sphere.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | ValveLink SOLO |
Affected:
0 , < ValveLink 14.0
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Emerson reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-50109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:54:46.838203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:54:53.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ValveLink SOLO",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink DTM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink PRM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink SNAP-ON",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Emerson reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson ValveLink Products store\nsensitive information in cleartext within a resource that might be accessible to another control sphere."
}
],
"value": "Emerson ValveLink Products store\nsensitive information in cleartext within a resource that might be accessible to another control sphere."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-316",
"description": "CWE-316",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:39:11.220Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01"
},
{
"url": "https://www.emerson.com/en-us/support/security-notifications"
},
{
"url": "https://www.emerson.com/en-us/support/software-downloads-drivers"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/software-downloads-drivers\"\u003ewebsite\u003c/a\u003e\u0026nbsp;.\u003cp\u003eFor more information see the associated \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson security notification.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson website https://www.emerson.com/en-us/support/software-downloads-drivers \u00a0.For more information see the associated Emerson security notification. https://www.emerson.com/en-us/support/security-notifications"
}
],
"source": {
"advisory": "ICSA-25-189-01",
"discovery": "INTERNAL"
},
"title": "Emerson ValveLink Products Cleartext Storage of Sensitive Information in Memory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-50109",
"datePublished": "2025-07-10T23:39:11.220Z",
"dateReserved": "2025-06-30T14:34:56.221Z",
"dateUpdated": "2025-07-11T13:54:53.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52579 (GCVE-0-2025-52579)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:37 – Updated: 2025-07-11 13:55
VLAI?
Title
Emerson ValveLink Products Cleartext Storage of Sensitive Information in Memory
Summary
Emerson ValveLink Products store sensitive information in cleartext in memory. The
sensitive memory might be saved to disk, stored in a core dump, or
remain uncleared if the product crashes, or if the programmer does not
properly clear the memory before freeing it.
Severity ?
9.4 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | ValveLink SOLO |
Affected:
0 , < ValveLink 14.0
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Emerson reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:55:09.770121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:55:15.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ValveLink SOLO",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink DTM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink PRM",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ValveLink SNAP-ON",
"vendor": "Emerson",
"versions": [
{
"lessThan": "ValveLink 14.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Emerson reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson ValveLink Products store sensitive information in cleartext in memory. The \nsensitive memory might be saved to disk, stored in a core dump, or \nremain uncleared if the product crashes, or if the programmer does not \nproperly clear the memory before freeing it."
}
],
"value": "Emerson ValveLink Products store sensitive information in cleartext in memory. The \nsensitive memory might be saved to disk, stored in a core dump, or \nremain uncleared if the product crashes, or if the programmer does not \nproperly clear the memory before freeing it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-316",
"description": "CWE-316",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:47:22.866Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01"
},
{
"url": "https://www.emerson.com/en-us/support/security-notifications"
},
{
"url": "https://www.emerson.com/en-us/support/software-downloads-drivers"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/software-downloads-drivers\"\u003ewebsite\u003c/a\u003e\u0026nbsp;.\u003cp\u003eFor more information see the associated \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson security notification.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Emerson recommends users update their Valvelink software to ValveLink \n14.0 or later. The upgrade can be downloaded from the Emerson website https://www.emerson.com/en-us/support/software-downloads-drivers \u00a0.For more information see the associated Emerson security notification. https://www.emerson.com/en-us/support/security-notifications"
}
],
"source": {
"advisory": "ICSA-25-189-01",
"discovery": "INTERNAL"
},
"title": "Emerson ValveLink Products Cleartext Storage of Sensitive Information in Memory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-52579",
"datePublished": "2025-07-10T23:37:21.515Z",
"dateReserved": "2025-06-30T14:34:56.212Z",
"dateUpdated": "2025-07-11T13:55:15.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43609 (GCVE-0-2023-43609)
Vulnerability from cvelistv5 – Published: 2024-02-09 03:52 – Updated: 2025-06-10 18:52
VLAI?
Title
Emerson Rosemount GC370XA, GC700XA, GC1500XA Improper Authorization
Summary
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.
Severity ?
6.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | Rosemount GC370XA |
Affected:
0 , ≤ Version 4.1.5
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Vera Mens of Claroty Research reported these vulnerabilities to Emerson.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-09T19:00:54.881050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:48.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rosemount GC370XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Rosemount GC700XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Rosemount GC1500XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vera Mens of Claroty Research reported these vulnerabilities to Emerson."
}
],
"datePublic": "2024-01-30T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T18:52:01.605Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"
},
{
"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEmerson recommends end users update the affected products\u0027 firmware. For update information, contact \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\"\u003eEmerson Tech Support\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Emerson recommends end users continue to use current cybersecurity industry best practices, and in the event such infrastructure is not implemented within an end user\u0027s network, the user should take action to ensure the affected product is connected to a well-protected network and not connected to the Internet. For more information, refer to the \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson Security\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;web page.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Emerson recommends end users update the affected products\u0027 firmware. For update information, contact Emerson Security https://www.emerson.com/en-us/support/security-notifications \u00a0web page."
}
],
"source": {
"advisory": "ICSA-24-030-01",
"discovery": "EXTERNAL"
},
"title": "Emerson Rosemount GC370XA, GC700XA, GC1500XA Improper Authorization",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-43609",
"datePublished": "2024-02-09T03:52:03.096Z",
"dateReserved": "2024-01-03T00:41:24.590Z",
"dateUpdated": "2025-06-10T18:52:01.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46687 (GCVE-0-2023-46687)
Vulnerability from cvelistv5 – Published: 2024-02-09 03:49 – Updated: 2025-06-17 21:29
VLAI?
Title
Emerson Rosemount GC370XA, GC700XA, GC1500XA Command Injection
Summary
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.
Severity ?
9.8 (Critical)
CWE
- CWE-77 - Command Injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | Rosemount GC370XA |
Affected:
0 , ≤ Version 4.1.5
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Vera Mens of Claroty Research reported these vulnerabilities to Emerson.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.875Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-09T16:54:56.679793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:29.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rosemount GC370XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Rosemount GC700XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Rosemount GC1500XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vera Mens of Claroty Research reported these vulnerabilities to Emerson."
}
],
"datePublic": "2024-01-30T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.\u003c/span\u003e\n\n\u003c/span\u003e\n\n"
}
],
"value": "\n\n\nIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T03:49:28.352Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"
},
{
"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEmerson recommends end users update the affected products\u0027 firmware. For update information, contact \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\"\u003eEmerson Tech Support\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Emerson recommends end users continue to use current cybersecurity industry best practices, and in the event such infrastructure is not implemented within an end user\u0027s network, the user should take action to ensure the affected product is connected to a well-protected network and not connected to the Internet. For more information, refer to the \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson Security\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;web page.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nEmerson recommends end users update the affected products\u0027 firmware. For update information, contact Emerson Security https://www.emerson.com/en-us/support/security-notifications \u00a0web page.\n\n\n"
}
],
"source": {
"advisory": "ICSA-24-030-01",
"discovery": "EXTERNAL"
},
"title": "Emerson Rosemount GC370XA, GC700XA, GC1500XA Command Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-46687",
"datePublished": "2024-02-09T03:49:28.352Z",
"dateReserved": "2024-01-03T00:41:24.578Z",
"dateUpdated": "2025-06-17T21:29:29.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49716 (GCVE-0-2023-49716)
Vulnerability from cvelistv5 – Published: 2024-02-09 03:45 – Updated: 2025-06-17 21:29
VLAI?
Title
Emerson Rosemount GC370XA, GC700XA, GC1500XA Command Injection
Summary
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer.
Severity ?
6.9 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | Rosemount GC370XA |
Affected:
0 , ≤ Version 4.1.5
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Vera Mens of Claroty Research reported these vulnerabilities to Emerson.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-11T17:07:50.900513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:29:29.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rosemount GC370XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Rosemount GC700XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Rosemount GC1500XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vera Mens of Claroty Research reported these vulnerabilities to Emerson."
}
],
"datePublic": "2024-01-30T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer.\u003c/span\u003e\n\n"
}
],
"value": "\nIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T03:45:37.621Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"
},
{
"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEmerson recommends end users update the affected products\u0027 firmware. For update information, contact \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\"\u003eEmerson Tech Support\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Emerson recommends end users continue to use current cybersecurity industry best practices, and in the event such infrastructure is not implemented within an end user\u0027s network, the user should take action to ensure the affected product is connected to a well-protected network and not connected to the Internet. For more information, refer to the \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson Security\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;web page.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nEmerson recommends end users update the affected products\u0027 firmware. For update information, contact Emerson Security https://www.emerson.com/en-us/support/security-notifications \u00a0web page.\n\n\n"
}
],
"source": {
"advisory": "ICSA-24-030-01",
"discovery": "EXTERNAL"
},
"title": "Emerson Rosemount GC370XA, GC700XA, GC1500XA Command Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-49716",
"datePublished": "2024-02-09T03:45:37.621Z",
"dateReserved": "2024-01-03T00:41:24.597Z",
"dateUpdated": "2025-06-17T21:29:29.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51761 (GCVE-0-2023-51761)
Vulnerability from cvelistv5 – Published: 2024-02-09 03:41 – Updated: 2025-06-10 18:52
VLAI?
Title
Emerson Rosemount GC370XA, GC700XA, GC1500XA Improper Authentication
Summary
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities.
Severity ?
8.3 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | Rosemount GC370XA |
Affected:
0 , ≤ Version 4.1.5
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Vera Mens of Claroty Research reported these vulnerabilities to Emerson.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-09T19:11:47.314496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:48.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rosemount GC370XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Rosemount GC700XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Rosemount GC1500XA",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "Version 4.1.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vera Mens of Claroty Research reported these vulnerabilities to Emerson."
}
],
"datePublic": "2024-01-30T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T18:52:34.491Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"
},
{
"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eEmerson recommends end users update the affected products\u0027 firmware. For update information, contact \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\"\u003eEmerson Tech Support\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. Emerson recommends end users continue to use current cybersecurity industry best practices, and in the event such infrastructure is not implemented within an end user\u0027s network, the user should take action to ensure the affected product is connected to a well-protected network and not connected to the Internet. For more information, refer to the \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\"\u003eEmerson Security\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;web page.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Emerson recommends end users update the affected products\u0027 firmware. For update information, contact Emerson Security https://www.emerson.com/en-us/support/security-notifications \u00a0web page."
}
],
"source": {
"advisory": "ICSA-24-030-01",
"discovery": "EXTERNAL"
},
"title": "Emerson Rosemount GC370XA, GC700XA, GC1500XA Improper Authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-51761",
"datePublished": "2024-02-09T03:41:37.457Z",
"dateReserved": "2024-01-03T00:41:24.585Z",
"dateUpdated": "2025-06-10T18:52:34.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16235 (GCVE-0-2020-16235)
Vulnerability from cvelistv5 – Published: 2022-05-19 17:23 – Updated: 2025-04-16 16:19
VLAI?
Title
Emerson OpenEnterprise - Inadequate Encryption Strength
Summary
Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained.
Severity ?
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | Open Enterprise |
Affected:
All , ≤ 3.3.5
(custom)
|
Credits
Roman Lozko of Kaspersky reported this vulnerability to Emerson.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:53.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-238-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-16235",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:52:01.112016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:19:26.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Open Enterprise",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "3.3.5",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Roman Lozko of Kaspersky reported this vulnerability to Emerson."
}
],
"descriptions": [
{
"lang": "en",
"value": "Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T17:23:12.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-238-02"
}
],
"source": {
"advisory": "ICSA-20-238-02",
"discovery": "UNKNOWN"
},
"title": "Emerson OpenEnterprise - Inadequate Encryption Strength",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-16235",
"STATE": "PUBLIC",
"TITLE": "Emerson OpenEnterprise - Inadequate Encryption Strength"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Open Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All",
"version_value": "3.3.5"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Roman Lozko of Kaspersky reported this vulnerability to Emerson."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-326 Inadequate Encryption Strength"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-238-02",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-238-02"
}
]
},
"source": {
"advisory": "ICSA-20-238-02",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-16235",
"datePublished": "2022-05-19T17:23:12.000Z",
"dateReserved": "2020-07-31T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:19:26.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10636 (GCVE-0-2020-10636)
Vulnerability from cvelistv5 – Published: 2022-02-24 18:50 – Updated: 2025-04-16 16:44
VLAI?
Title
ICSA-20-140-02 Emerson OpenEnterprise
Summary
Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained.
Severity ?
6.5 (Medium)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | OpenEnterprise SCADA Software |
Affected:
unspecified , ≤ 3.3.4
(custom)
|
Credits
Roman Lozko of Kaspersky reported these vulnerabilities to Emerson.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-10636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:56:12.083899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:44:11.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenEnterprise SCADA Software",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "3.3.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Roman Lozko of Kaspersky reported these vulnerabilities to Emerson."
}
],
"descriptions": [
{
"lang": "en",
"value": "Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326: Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T18:50:16.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends all users upgrade to OpenEnterprise 3.3, Service Pack 5 (3.3.5), to resolve these issues. OpenEnterprise Service Packs are available to users with access to the Emerson SupportNet system (login required). Details will be found in the downloads area.\n\nPlease send any questions via a SupportNet ticket or by contacting Emerson at US 800-537-9313. For users outside of the United States, please use international toll-free numbers."
}
],
"source": {
"advisory": "ICSA-20-140-02",
"discovery": "EXTERNAL"
},
"title": "ICSA-20-140-02 Emerson OpenEnterprise",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10636",
"STATE": "PUBLIC",
"TITLE": "ICSA-20-140-02 Emerson OpenEnterprise"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenEnterprise SCADA Software",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "3.3.4"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Roman Lozko of Kaspersky reported these vulnerabilities to Emerson."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-326: Inadequate Encryption Strength"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends all users upgrade to OpenEnterprise 3.3, Service Pack 5 (3.3.5), to resolve these issues. OpenEnterprise Service Packs are available to users with access to the Emerson SupportNet system (login required). Details will be found in the downloads area.\n\nPlease send any questions via a SupportNet ticket or by contacting Emerson at US 800-537-9313. For users outside of the United States, please use international toll-free numbers."
}
],
"source": {
"advisory": "ICSA-20-140-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10636",
"datePublished": "2022-02-24T18:50:16.000Z",
"dateReserved": "2020-03-16T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:44:11.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10640 (GCVE-0-2020-10640)
Vulnerability from cvelistv5 – Published: 2022-02-24 18:50 – Updated: 2025-04-16 16:44
VLAI?
Title
ICSA-20-140-02 Emerson OpenEnterprise
Summary
Emerson OpenEnterprise versions through 3.3.4 may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service.
Severity ?
10 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | OpenEnterprise SCADA Software |
Affected:
unspecified , ≤ 3.3.4
(custom)
|
Credits
Roman Lozko of Kaspersky reported these vulnerabilities to Emerson.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-10640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:58:04.863796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:44:20.840Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenEnterprise SCADA Software",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "3.3.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Roman Lozko of Kaspersky reported these vulnerabilities to Emerson."
}
],
"descriptions": [
{
"lang": "en",
"value": "Emerson OpenEnterprise versions through 3.3.4 may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T18:50:15.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends all users upgrade to OpenEnterprise 3.3, Service Pack 5 (3.3.5), to resolve these issues. OpenEnterprise Service Packs are available to users with access to the Emerson SupportNet system (login required). Details will be found in the downloads area.\n\nPlease send any questions via a SupportNet ticket or by contacting Emerson at US 800-537-9313. For users outside of the United States, please use international toll-free numbers."
}
],
"source": {
"advisory": "ICSA-20-140-02",
"discovery": "EXTERNAL"
},
"title": "ICSA-20-140-02 Emerson OpenEnterprise",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10640",
"STATE": "PUBLIC",
"TITLE": "ICSA-20-140-02 Emerson OpenEnterprise"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenEnterprise SCADA Software",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "3.3.4"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Roman Lozko of Kaspersky reported these vulnerabilities to Emerson."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Emerson OpenEnterprise versions through 3.3.4 may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-306: Missing Authentication for Critical Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends all users upgrade to OpenEnterprise 3.3, Service Pack 5 (3.3.5), to resolve these issues. OpenEnterprise Service Packs are available to users with access to the Emerson SupportNet system (login required). Details will be found in the downloads area.\n\nPlease send any questions via a SupportNet ticket or by contacting Emerson at US 800-537-9313. For users outside of the United States, please use international toll-free numbers."
}
],
"source": {
"advisory": "ICSA-20-140-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10640",
"datePublished": "2022-02-24T18:50:15.000Z",
"dateReserved": "2020-03-16T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:44:20.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10632 (GCVE-0-2020-10632)
Vulnerability from cvelistv5 – Published: 2022-02-24 18:50 – Updated: 2025-04-16 18:01
VLAI?
Title
ICSA-20-140-02 Emerson OpenEnterprise
Summary
Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of important configuration files, which could cause the system to fail or behave in an unpredictable manner.
Severity ?
8.8 (High)
CWE
- CWE-282 - Improper Ownership Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | OpenEnterprise SCADA Software |
Affected:
unspecified , ≤ 3.3.4
(custom)
|
Credits
Roman Lozko of Kaspersky reported these vulnerabilities to Emerson.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-10632",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T17:31:23.752324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T18:01:14.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenEnterprise SCADA Software",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "3.3.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Roman Lozko of Kaspersky reported these vulnerabilities to Emerson."
}
],
"descriptions": [
{
"lang": "en",
"value": "Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of important configuration files, which could cause the system to fail or behave in an unpredictable manner."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-282",
"description": "CWE-282: Improper Ownership Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T18:50:14.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends all users upgrade to OpenEnterprise 3.3, Service Pack 5 (3.3.5), to resolve these issues. OpenEnterprise Service Packs are available to users with access to the Emerson SupportNet system (login required). Details will be found in the downloads area.\n\nPlease send any questions via a SupportNet ticket or by contacting Emerson at US 800-537-9313. For users outside of the United States, please use international toll-free numbers."
}
],
"source": {
"advisory": "ICSA-20-140-02",
"discovery": "EXTERNAL"
},
"title": "ICSA-20-140-02 Emerson OpenEnterprise",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10632",
"STATE": "PUBLIC",
"TITLE": "ICSA-20-140-02 Emerson OpenEnterprise"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenEnterprise SCADA Software",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "3.3.4"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Roman Lozko of Kaspersky reported these vulnerabilities to Emerson."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of important configuration files, which could cause the system to fail or behave in an unpredictable manner."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-282: Improper Ownership Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends all users upgrade to OpenEnterprise 3.3, Service Pack 5 (3.3.5), to resolve these issues. OpenEnterprise Service Packs are available to users with access to the Emerson SupportNet system (login required). Details will be found in the downloads area.\n\nPlease send any questions via a SupportNet ticket or by contacting Emerson at US 800-537-9313. For users outside of the United States, please use international toll-free numbers."
}
],
"source": {
"advisory": "ICSA-20-140-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10632",
"datePublished": "2022-02-24T18:50:14.000Z",
"dateReserved": "2020-03-16T00:00:00.000Z",
"dateUpdated": "2025-04-16T18:01:14.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38485 (GCVE-0-2021-38485)
Vulnerability from cvelistv5 – Published: 2021-10-22 13:23 – Updated: 2024-09-16 20:58
VLAI?
Title
Emerson WirelessHART Gateway
Summary
The affected product is vulnerable to improper input validation in the restore file. This enables an attacker to provide malicious config files to replace any file on disk.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | WirelessHART Gateway |
Affected:
1410 , ≤ 4.7.94
(custom)
Affected: 1410D , ≤ 4.7.94 (custom) Affected: 1420 , ≤ 4.7.94 (custom) |
Credits
Amir Preminger of Claroty reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:44:22.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WirelessHART Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410D",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1420",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"datePublic": "2021-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The affected product is vulnerable to improper input validation in the restore file. This enables an attacker to provide malicious config files to replace any file on disk."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T13:23:38.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
},
"title": "Emerson WirelessHART Gateway",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-10-05T21:42:00.000Z",
"ID": "CVE-2021-38485",
"STATE": "PUBLIC",
"TITLE": "Emerson WirelessHART Gateway"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WirelessHART Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1410",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1410D",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1420",
"version_value": "4.7.94"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The affected product is vulnerable to improper input validation in the restore file. This enables an attacker to provide malicious config files to replace any file on disk."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"refsource": "CONFIRM",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-38485",
"datePublished": "2021-10-22T13:23:38.936Z",
"dateReserved": "2021-08-10T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:58:26.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42542 (GCVE-0-2021-42542)
Vulnerability from cvelistv5 – Published: 2021-10-22 13:23 – Updated: 2024-09-16 17:52
VLAI?
Title
Emerson WirelessHART Gateway
Summary
The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | WirelessHART Gateway |
Affected:
1410 , ≤ 4.7.94
(custom)
Affected: 1410D , ≤ 4.7.94 (custom) Affected: 1420 , ≤ 4.7.94 (custom) |
Credits
Amir Preminger of Claroty reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WirelessHART Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410D",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1420",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"datePublic": "2021-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T13:23:29.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
},
"title": "Emerson WirelessHART Gateway",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-10-05T21:42:00.000Z",
"ID": "CVE-2021-42542",
"STATE": "PUBLIC",
"TITLE": "Emerson WirelessHART Gateway"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WirelessHART Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1410",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1410D",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1420",
"version_value": "4.7.94"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The affected product is vulnerable to directory traversal due to mishandling of provided backup folder structure."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"refsource": "CONFIRM",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-42542",
"datePublished": "2021-10-22T13:23:29.883Z",
"dateReserved": "2021-10-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:52:49.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42540 (GCVE-0-2021-42540)
Vulnerability from cvelistv5 – Published: 2021-10-22 13:23 – Updated: 2024-09-16 21:04
VLAI?
Title
Emerson WirelessHART Gateway
Summary
The affected product is vulnerable to a unsanitized extract folder for system configuration. A low-privileged user can leverage this logic to overwrite the settings and other key functionality.
Severity ?
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | WirelessHART Gateway |
Affected:
1410 , ≤ 4.7.94
(custom)
Affected: 1410D , ≤ 4.7.94 (custom) Affected: 1420 , ≤ 4.7.94 (custom) |
Credits
Amir Preminger of Claroty reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WirelessHART Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410D",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1420",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"datePublic": "2021-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The affected product is vulnerable to a unsanitized extract folder for system configuration. A low-privileged user can leverage this logic to overwrite the settings and other key functionality."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T13:23:22.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
},
"title": "Emerson WirelessHART Gateway",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-10-05T21:42:00.000Z",
"ID": "CVE-2021-42540",
"STATE": "PUBLIC",
"TITLE": "Emerson WirelessHART Gateway"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WirelessHART Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1410",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1410D",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1420",
"version_value": "4.7.94"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The affected product is vulnerable to a unsanitized extract folder for system configuration. A low-privileged user can leverage this logic to overwrite the settings and other key functionality."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-123 Write-what-where Condition"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"refsource": "CONFIRM",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-42540",
"datePublished": "2021-10-22T13:23:22.604Z",
"dateReserved": "2021-10-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:04:12.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42536 (GCVE-0-2021-42536)
Vulnerability from cvelistv5 – Published: 2021-10-22 13:23 – Updated: 2024-09-17 00:41
VLAI?
Title
Emerson WirelessHART Gateway
Summary
The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables.
Severity ?
CWE
- CWE-200 - Information Exposure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | WirelessHART Gateway |
Affected:
1410 , ≤ 4.7.94
(custom)
Affected: 1410D , ≤ 4.7.94 (custom) Affected: 1420 , ≤ 4.7.94 (custom) |
Credits
Amir Preminger of Claroty reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WirelessHART Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410D",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1420",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"datePublic": "2021-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T13:23:15.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
},
"title": "Emerson WirelessHART Gateway",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-10-05T21:42:00.000Z",
"ID": "CVE-2021-42536",
"STATE": "PUBLIC",
"TITLE": "Emerson WirelessHART Gateway"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WirelessHART Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1410",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1410D",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1420",
"version_value": "4.7.94"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The affected product is vulnerable to a disclosure of peer username and password by allowing all users access to read global variables."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"refsource": "CONFIRM",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-42536",
"datePublished": "2021-10-22T13:23:15.613Z",
"dateReserved": "2021-10-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:41:22.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42539 (GCVE-0-2021-42539)
Vulnerability from cvelistv5 – Published: 2021-10-22 13:23 – Updated: 2024-09-16 18:03
VLAI?
Title
Emerson WirelessHART Gateway
Summary
The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change.
Severity ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | WirelessHART Gateway |
Affected:
1410 , ≤ 4.7.94
(custom)
Affected: 1410D , ≤ 4.7.94 (custom) Affected: 1420 , ≤ 4.7.94 (custom) |
Credits
Amir Preminger of Claroty reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WirelessHART Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410D",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1420",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"datePublic": "2021-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T13:23:08.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
},
"title": "Emerson WirelessHART Gateway",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-10-05T21:42:00.000Z",
"ID": "CVE-2021-42539",
"STATE": "PUBLIC",
"TITLE": "Emerson WirelessHART Gateway"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WirelessHART Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1410",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1410D",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1420",
"version_value": "4.7.94"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-306 Missing Authentication for Critical Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"refsource": "CONFIRM",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-42539",
"datePublished": "2021-10-22T13:23:08.904Z",
"dateReserved": "2021-10-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:03:13.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42538 (GCVE-0-2021-42538)
Vulnerability from cvelistv5 – Published: 2021-10-22 13:23 – Updated: 2024-09-17 00:11
VLAI?
Title
Emerson WirelessHART Gateway
Summary
The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input.
Severity ?
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | WirelessHART Gateway |
Affected:
1410 , ≤ 4.7.94
(custom)
Affected: 1410D , ≤ 4.7.94 (custom) Affected: 1420 , ≤ 4.7.94 (custom) |
Credits
Amir Preminger of Claroty reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:38.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WirelessHART Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1410D",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.7.94",
"status": "affected",
"version": "1420",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"datePublic": "2021-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-22T13:23:02.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
},
"title": "Emerson WirelessHART Gateway",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-10-05T21:42:00.000Z",
"ID": "CVE-2021-42538",
"STATE": "PUBLIC",
"TITLE": "Emerson WirelessHART Gateway"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WirelessHART Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1410",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1410D",
"version_value": "4.7.94"
},
{
"version_affected": "\u003c=",
"version_name": "1420",
"version_value": "4.7.94"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Amir Preminger of Claroty reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"refsource": "CONFIRM",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends upgrading to v4.7.105 to address these vulnerabilities.\n\nUsers can visit the Emerson Gate Firmware site for and download instructions.\n\nIf affected users do not yet have a free Guardian account, please see the updated Emerson Gateway Firmware download process by following the link above and viewing the download guide."
}
],
"source": {
"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-42538",
"datePublished": "2021-10-22T13:23:02.452Z",
"dateReserved": "2021-10-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:11:59.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12030 (GCVE-0-2020-12030)
Vulnerability from cvelistv5 – Published: 2021-09-29 19:36 – Updated: 2024-08-04 11:48
VLAI?
Title
Emerson WirelessHART Gateway
Summary
There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.
Severity ?
10 (Critical)
CWE
- CWE-284 - IMPROPER ACCESS CONTROL CWE-284
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Emerson | Wireless 1410 Gateway |
Affected:
4.6.43 , ≤ 4.7.84
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Emerson discovered this vulnerability and reported it to CISA once there was a solution.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wireless 1410 Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.84",
"status": "affected",
"version": "4.6.43",
"versionType": "custom"
}
]
},
{
"product": "Wireless 1420 Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.84",
"status": "affected",
"version": "4.6.43",
"versionType": "custom"
}
]
},
{
"product": "Wireless 1552WU Gateway",
"vendor": "Emerson",
"versions": [
{
"lessThanOrEqual": "4.7.84",
"status": "affected",
"version": "4.6.43",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Emerson discovered this vulnerability and reported it to CISA once there was a solution."
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a flaw in the code used to configure the internal gateway firewall when the gateway\u0027s VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "IMPROPER ACCESS CONTROL CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-29T19:36:38.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Emerson recommends end users update the firmware on VLAN-enabled Version 4 gateways as soon as possible.\n\nIf the VLAN feature is not enabled, no immediate action is necessary.\nPlease see Emerson\u2019s cybersecurity notification alert number EMR.RMT20001-1 for more information."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Emerson WirelessHART Gateway",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-12030",
"STATE": "PUBLIC",
"TITLE": "Emerson WirelessHART Gateway"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Wireless 1410 Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.6.43",
"version_value": "4.7.84"
}
]
}
},
{
"product_name": "Wireless 1420 Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.6.43",
"version_value": "4.7.84"
}
]
}
},
{
"product_name": "Wireless 1552WU Gateway",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.6.43",
"version_value": "4.7.84"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Emerson discovered this vulnerability and reported it to CISA once there was a solution."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a flaw in the code used to configure the internal gateway firewall when the gateway\u0027s VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER ACCESS CONTROL CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Emerson recommends end users update the firmware on VLAN-enabled Version 4 gateways as soon as possible.\n\nIf the VLAN feature is not enabled, no immediate action is necessary.\nPlease see Emerson\u2019s cybersecurity notification alert number EMR.RMT20001-1 for more information."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-12030",
"datePublished": "2021-09-29T19:36:38.000Z",
"dateReserved": "2020-04-21T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:48:57.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-6970 (GCVE-0-2020-6970)
Vulnerability from cvelistv5 – Published: 2020-02-19 20:19 – Updated: 2024-08-04 09:18
VLAI?
Summary
A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA Server 2.83 (if Modbus or ROC Interfaces have been installed and are in use) and all versions of OpenEnterprise 3.1 through 3.3.3, where a specially crafted script could execute code on the OpenEnterprise Server.
Severity ?
No CVSS data available.
CWE
- CWE-122 - HEAP-BASED BUFFER OVERFLOW CWE-122
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Emerson | OpenEnterprise SCADA Server |
Affected:
2.83 (if Modbus or ROC Interfaces have been installed and are in use)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:18:02.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-049-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenEnterprise SCADA Server",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "2.83 (if Modbus or ROC Interfaces have been installed and are in use)"
}
]
},
{
"product": "OpenEnterprise",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "3.1 through 3.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA Server 2.83 (if Modbus or ROC Interfaces have been installed and are in use) and all versions of OpenEnterprise 3.1 through 3.3.3, where a specially crafted script could execute code on the OpenEnterprise Server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "HEAP-BASED BUFFER OVERFLOW CWE-122",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-19T20:19:55.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-049-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-6970",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenEnterprise SCADA Server",
"version": {
"version_data": [
{
"version_value": "2.83 (if Modbus or ROC Interfaces have been installed and are in use)"
}
]
}
},
{
"product_name": "OpenEnterprise",
"version": {
"version_data": [
{
"version_value": "3.1 through 3.3.3"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA Server 2.83 (if Modbus or ROC Interfaces have been installed and are in use) and all versions of OpenEnterprise 3.1 through 3.3.3, where a specially crafted script could execute code on the OpenEnterprise Server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HEAP-BASED BUFFER OVERFLOW CWE-122"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-049-02",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-049-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-6970",
"datePublished": "2020-02-19T20:19:55.000Z",
"dateReserved": "2020-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:18:02.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10967 (GCVE-0-2019-10967)
Vulnerability from cvelistv5 – Published: 2019-05-28 21:59 – Updated: 2024-08-04 22:40
VLAI?
Summary
In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long file name from the LIST command to the FTP service, which may cause the service to overwrite buffers, leading to remote code execution and escalation of privileges.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack-Based Buffer Overflow CWE-121
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | Emerson Ovation OCR400 Controller |
Affected:
All versions prior to and including v3.3.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:40:15.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01"
},
{
"name": "108499",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108499"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Emerson Ovation OCR400 Controller",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "All versions prior to and including v3.3.1"
}
]
}
],
"datePublic": "2019-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long file name from the LIST command to the FTP service, which may cause the service to overwrite buffers, leading to remote code execution and escalation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-Based Buffer Overflow CWE-121",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-29T12:06:02.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01"
},
{
"name": "108499",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108499"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-10967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Emerson Ovation OCR400 Controller",
"version": {
"version_data": [
{
"version_value": "All versions prior to and including v3.3.1"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long file name from the LIST command to the FTP service, which may cause the service to overwrite buffers, leading to remote code execution and escalation of privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack-Based Buffer Overflow CWE-121"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01"
},
{
"name": "108499",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108499"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-10967",
"datePublished": "2019-05-28T21:59:06.000Z",
"dateReserved": "2019-04-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:40:15.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10965 (GCVE-0-2019-10965)
Vulnerability from cvelistv5 – Published: 2019-05-28 21:54 – Updated: 2024-08-04 22:40
VLAI?
Summary
In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long command to the FTP service, which may cause memory corruption that halts the controller or leads to remote code execution and escalation of privileges.
Severity ?
No CVSS data available.
CWE
- Buffer Overflow
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | Emerson Ovation OCR400 Controller |
Affected:
All versions prior to and including v3.3.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:40:15.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01"
},
{
"name": "108499",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108499"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Emerson Ovation OCR400 Controller",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "All versions prior to and including v3.3.1"
}
]
}
],
"datePublic": "2019-05-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long command to the FTP service, which may cause memory corruption that halts the controller or leads to remote code execution and escalation of privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Buffer Overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-29T12:06:02.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01"
},
{
"name": "108499",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108499"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-10965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Emerson Ovation OCR400 Controller",
"version": {
"version_data": [
{
"version_value": "All versions prior to and including v3.3.1"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long command to the FTP service, which may cause memory corruption that halts the controller or leads to remote code execution and escalation of privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01"
},
{
"name": "108499",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108499"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-10965",
"datePublished": "2019-05-28T21:54:26.000Z",
"dateReserved": "2019-04-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:40:15.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19021 (GCVE-0-2018-19021)
Vulnerability from cvelistv5 – Published: 2019-01-25 20:00 – Updated: 2024-09-17 03:52
VLAI?
Summary
A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.
Severity ?
No CVSS data available.
CWE
- CWE-307 - Authentication Bypass CWE-307
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | Emerson DeltaV |
Affected:
DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106522",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106522"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Emerson DeltaV",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior."
}
]
}
],
"datePublic": "2019-01-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "Authentication Bypass CWE-307",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-26T10:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "106522",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106522"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2019-01-10T00:00:00",
"ID": "CVE-2018-19021",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Emerson DeltaV",
"version": {
"version_data": [
{
"version_value": "DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior."
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass CWE-307"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106522",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106522"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-010-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-19021",
"datePublished": "2019-01-25T20:00:00.000Z",
"dateReserved": "2018-11-06T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:52:35.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14808 (GCVE-0-2018-14808)
Vulnerability from cvelistv5 – Published: 2018-10-01 16:00 – Updated: 2024-09-17 03:54
VLAI?
Summary
Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users are able to change executable and library files on the affected products.
Severity ?
No CVSS data available.
CWE
- CWE-269 - IMPROPER PRIVILEGE MANAGEMENT CWE-269
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | AMS Device Manager |
Affected:
v12.0 to v13.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01"
},
{
"name": "105406",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105406"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AMS Device Manager",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "v12.0 to v13.5"
}
]
}
],
"datePublic": "2018-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users are able to change executable and library files on the affected products."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "IMPROPER PRIVILEGE MANAGEMENT CWE-269",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-02T09:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01"
},
{
"name": "105406",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105406"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-09-27T00:00:00",
"ID": "CVE-2018-14808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AMS Device Manager",
"version": {
"version_data": [
{
"version_value": "v12.0 to v13.5"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users are able to change executable and library files on the affected products."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER PRIVILEGE MANAGEMENT CWE-269"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01"
},
{
"name": "105406",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105406"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-14808",
"datePublished": "2018-10-01T16:00:00.000Z",
"dateReserved": "2018-08-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:54:18.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14804 (GCVE-0-2018-14804)
Vulnerability from cvelistv5 – Published: 2018-10-01 16:00 – Updated: 2024-09-17 00:16
VLAI?
Summary
Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-284 - IMPROPER ACCESS CONTROL CWE-284
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | AMS Device Manager |
Affected:
v12.0 to v13.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01"
},
{
"name": "105406",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105406"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AMS Device Manager",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "v12.0 to v13.5"
}
]
}
],
"datePublic": "2018-09-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "IMPROPER ACCESS CONTROL CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-02T09:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01"
},
{
"name": "105406",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105406"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-09-27T00:00:00",
"ID": "CVE-2018-14804",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AMS Device Manager",
"version": {
"version_data": [
{
"version_value": "v12.0 to v13.5"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER ACCESS CONTROL CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01"
},
{
"name": "105406",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105406"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-14804",
"datePublished": "2018-10-01T16:00:00.000Z",
"dateReserved": "2018-08-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:16:05.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14791 (GCVE-0-2018-14791)
Vulnerability from cvelistv5 – Published: 2018-08-23 19:00 – Updated: 2024-09-16 22:51
VLAI?
Summary
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products.
Severity ?
No CVSS data available.
CWE
- CWE-269 - IMPROPER PRIVILEGE MANAGEMENT CWE-269
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | DeltaV DCS |
Affected:
v11.3.1, v12.3.1, v13.3.0, v13.3.1, R5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:13.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01"
},
{
"name": "105105",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105105"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DeltaV DCS",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "v11.3.1, v12.3.1, v13.3.0, v13.3.1, R5"
}
]
}
],
"datePublic": "2018-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "IMPROPER PRIVILEGE MANAGEMENT CWE-269",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-24T09:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01"
},
{
"name": "105105",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105105"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-08-16T00:00:00",
"ID": "CVE-2018-14791",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DeltaV DCS",
"version": {
"version_data": [
{
"version_value": "v11.3.1, v12.3.1, v13.3.0, v13.3.1, R5"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER PRIVILEGE MANAGEMENT CWE-269"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01"
},
{
"name": "105105",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105105"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-14791",
"datePublished": "2018-08-23T19:00:00.000Z",
"dateReserved": "2018-08-01T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:51:13.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14797 (GCVE-0-2018-14797)
Vulnerability from cvelistv5 – Published: 2018-08-23 19:00 – Updated: 2024-09-17 04:19
VLAI?
Summary
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a specially crafted DLL file to be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution.
Severity ?
No CVSS data available.
CWE
- CWE-427 - UNCONTROLLED SEARCH PATH ELEMENT CWE-427
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Emerson | DeltaV DCS |
Affected:
v11.3.1, v12.3.1, v13.3.0, v13.3.1, R5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:14.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01"
},
{
"name": "105105",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105105"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "DeltaV DCS",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "v11.3.1, v12.3.1, v13.3.0, v13.3.1, R5"
}
]
}
],
"datePublic": "2018-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a specially crafted DLL file to be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-24T09:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01"
},
{
"name": "105105",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105105"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-08-16T00:00:00",
"ID": "CVE-2018-14797",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DeltaV DCS",
"version": {
"version_data": [
{
"version_value": "v11.3.1, v12.3.1, v13.3.0, v13.3.1, R5"
}
]
}
}
]
},
"vendor_name": "Emerson"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a specially crafted DLL file to be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01"
},
{
"name": "105105",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105105"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-14797",
"datePublished": "2018-08-23T19:00:00.000Z",
"dateReserved": "2018-08-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:19:50.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2349 (GCVE-0-2014-2349)
Vulnerability from cvelistv5 – Published: 2014-05-22 20:00 – Updated: 2025-10-31 22:56
VLAI?
Title
Emerson DeltaV Use of Improper Authorization
Summary
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
Credits
Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov, and Timur Yunusov of Positive Technologies
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:14:25.055Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DeltaV",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "10.3.1"
},
{
"status": "affected",
"version": "11.3"
},
{
"status": "affected",
"version": "11.3.1"
},
{
"status": "affected",
"version": "12.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov, and Timur Yunusov of Positive Technologies"
}
],
"datePublic": "2014-05-22T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\nEmerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.\n\n\u003c/p\u003e"
}
],
"value": "Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program."
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.2,
"confidentialityImpact": "NONE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:S/C:N/I:C/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T22:56:34.809Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-133-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson has created a patch to mitigate these vulnerabilities. Emerson \nhas distributed a notification (KBA NK-1400-0031) that provides details \nof the vulnerabilities, recommended mitigations, and instructions on \nobtaining and installing the patch. This document is available on \nEmerson\u2019s support site to users who have support contracts with Emerson.\n If you do not have access to this site and need to apply the patch, \nplease contact customer service at 1\u2011800\u2011833\u20118314.\n\n\u003cbr\u003e"
}
],
"value": "Emerson has created a patch to mitigate these vulnerabilities. Emerson \nhas distributed a notification (KBA NK-1400-0031) that provides details \nof the vulnerabilities, recommended mitigations, and instructions on \nobtaining and installing the patch. This document is available on \nEmerson\u2019s support site to users who have support contracts with Emerson.\n If you do not have access to this site and need to apply the patch, \nplease contact customer service at 1\u2011800\u2011833\u20118314."
}
],
"source": {
"advisory": "ICSA-14-133-02",
"discovery": "UNKNOWN"
},
"title": "Emerson DeltaV Use of Improper Authorization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2014-2349",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 allows local users to modify or read configuration files by leveraging engineering-level privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02",
"refsource": "MISC",
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2014-2349",
"datePublished": "2014-05-22T20:00:00.000Z",
"dateReserved": "2014-03-13T00:00:00.000Z",
"dateUpdated": "2025-10-31T22:56:34.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}