Deserialization Vulnerability in Delta Electronics InfraSuite Device Master
CVE-2023-1145

7.8HIGH

Key Information:

Vendor: Delta Electronics
Status: Infrasuite Device Master
Vendor: CVE Published:; 27 March 2023

Summary

Delta Electronics InfraSuite Device Master versions earlier than 1.0.5 are susceptible to a significant deserialization vulnerability within the Device-DataCollect service. This flaw allows unauthorized deserialization of requests before proper authentication is established, potentially leading to remote code execution on the affected systems. Organizations using this product are advised to stay updated on security patches and implement necessary safeguards against exploitation.

Affected Version(s)

InfraSuite Device Master 0 < 1.0.5

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-0...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 27, 2023
Vulnerability Reserved
Mar 1, 2023

Credit

Piotr Bazydlo (@chudypd) of Trend Micro and Anonymous working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.