CVE-2022-29898 CRITICAL

CVE-2022-29898: Remote Code Execution in all versions of various RAD-ISM-900-EN-* devices by PHOENIX CONTACT

Vendor Phoenix Contact
Product RAD-ISM-900-EN-BD/B
Weakness CWE-354
Published May 11, 2022
Last update September 16, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the configuration file uploader in the WebUI to execute arbitrary code with root privileges on the OS due to an improper validation of an integrity check value in all versions of the firmware.

Key dates

02Disclosure timeline

May 11, 2022 CVE published
September 16, 2024 Record updated