Rockwell Automation ISaGRAF Deserialization of Untrusted Data
CVE-2022-1118

8.6HIGH

Key Information:

Vendor: Rockwell Automation
Status: Connected Component Workbench; Isagraf Workbench; Safety Instrumented Systems Workstation
Vendor: CVE Published:; 17 May 2022

Summary

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

Affected Version(s)

Connected Component Workbench All

ISaGRAF Workbench All v6.0 through v6.6.9

Safety Instrumented Systems Workstation All

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-095-01

x_refsource_MISC

EPSS Score

51% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 17, 2022
Vulnerability Reserved
Mar 28, 2022