Authenticated Command Injection in Hirschmann BAT-C2 Web Server
CVE-2022-40282

8.8HIGH

Key Information:

Vendor: Belden
Status: Hirschmann Bat-c2 Firmware
Vendor: CVE Published:; 25 November 2022

What is CVE-2022-40282?

The Hirschmann BAT-C2 web server, prior to version 09.13.01.00R04, is susceptible to an authenticated command injection vulnerability. This arises from insufficient sanitization of the 'dir' parameter in the FsCreateDir Ajax function, allowing attackers with valid credentials to execute arbitrary commands on the underlying system. This vulnerability poses significant risks as it can lead to unauthorized access and manipulation of system resources.

References

https://www.belden.com/support/security-assurance

http://seclists.org/fulldisclosure/2022/Nov/19

mailing-list

http://packetstormsecurity.com/files/170063/Hirschmann-Be...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 25, 2022
Vulnerability Reserved
Sep 8, 2022

JSON

Belden

What is CVE-2022-40282?

References

CVSS V3.1

Timeline