CVE-2022-30308 CRITICAL

CVE-2022-30308: FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability

Vendor Festo
Product Controller CECC-X-M1 (4407603)
Weakness CWE-863 · Incorrect authorization
Published June 13, 2022
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

Key dates

02Disclosure timeline

June 13, 2022 CVE published
September 16, 2024 Record updated