CVE-2022-29897 CRITICAL

CVE-2022-29897: Remote Code Execution in all versions of various RAD-ISM-900-EN-* devices by PHOENIX CONTACT

Vendor Phoenix Contact
Product RAD-ISM-900-EN-BD/B
Weakness CWE-20 · Input validation
Published May 11, 2022
Last update September 17, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the traceroute utility integrated in the WebUI to execute arbitrary code with root privileges on the OS due to an improper input validation in all versions of the firmware.

Key dates

02Disclosure timeline

May 11, 2022 CVE published
September 17, 2024 Record updated