CVE-2023-2685 HIGH

CVE-2023-2685: Unquoted Service Path in ABB AO-OPC

Vendor Abb

Product AO-OPC

Weakness CWE-428

Published July 28, 2023

Last update October 21, 2024

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Local

Attack complexity High

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability was found in AO-OPC server versions mentioned above. As the directory information for the service entry is not enclosed in quotation marks, potential attackers could possibly call up another application than the AO-OPC server by starting the service. The service might be started with system user privileges which could cause a shift in user access privileges. It is unlikely to exploit the vulnerability in well maintained Windows installations since the attacker would need write access to system folders. An update is available that resolves the vulnerability found during an internal review in the product AO-OPC = 3.2.1

Key dates

02Disclosure timeline

July 28, 2023 CVE published

October 21, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-2685 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/428.html

Related vulnerabilities

CVE-2023-2685: Unquoted Service Path in ABB AO-OPC

01Description

02Disclosure timeline

03References

04Related CVE