Hard-coded Credential Vulnerability in Honeywell ControlEdge Products
CVE-2022-30318

9.8CRITICAL

Key Information:

Vendor: Honeywell
Status: Controledge Plc Firmware
Vendor: CVE Published:; 31 August 2022

What is CVE-2022-30318?

The Honeywell ControlEdge product line is affected by a significant vulnerability involving hard-coded credentials that grant unauthorized access to the root user. This weakness affects the SSH service, which is accessible on TCP port 22, allowing attackers to execute remote code, manipulate configurations, or potentially cause a denial of service. The root credentials are embedded in the firmware and remain unchanged post-commissioning, posing a critical security risk for organizations utilizing these products.

References

https://www.forescout.com/blog/

x_refsource_MISC

https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-06

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 31, 2022
Vulnerability Reserved
May 6, 2022