CVE-2022-0999
published 2022-04-11CVE-2022-0999: An authenticated user may be able to misuse parameters to inject arbitrary operating system commands into mySCADA myPRO versions 8.25.0 and prior.
PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.34%
67.8th percentile
An authenticated user may be able to misuse parameters to inject arbitrary operating system commands into mySCADA myPRO versions 8.25.0 and prior.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| myscada | mypro | <= 8.25.0 | — |
| myscada | mypro | 5.59 – 8.25.0 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
mySCADA myPRO
cisa_ics·2022-03-24·CVSS 8.8
[HIGH] mySCADA myPRO
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
mySCADA myPRO
Last RevisedMarch 24, 2022
Alert CodeICSA-22-083-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: mySCADA
- Equipment: myPRO
- Vulnerability: Command Injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow arbitrary operating system commands injection.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
mySCADA reports this vulnerability affects the following myPRO HMI /SCADA products:
- myPRO Versions 8.25.0 and prior
## 3.2 VULNERABILITY OVERVIEW
## 3.2.1 IMPROPER
GHSA
GHSA-wwgw-j4gw-362r: An authenticated user may be able to misuse parameters to inject arbitrary operating system commands into mySCADA myPRO versions 8
ghsa_unreviewed·2022-04-12
CVE-2022-0999 [HIGH] CWE-77 GHSA-wwgw-j4gw-362r: An authenticated user may be able to misuse parameters to inject arbitrary operating system commands into mySCADA myPRO versions 8
An authenticated user may be able to misuse parameters to inject arbitrary operating system commands into mySCADA myPRO versions 8.25.0 and prior.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-11
Published