cbcvebase.
CVE-2022-1118
published 2022-05-17

CVE-2022-1118: Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for…

PriorityP276high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
11.37%
95.4th percentile
Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

Affected

6 ranges
VendorProductVersion rangeFixed in
rockwell_automationconnected_component_workbenchAll – v13.00.00
rockwell_automationisagraf_workbench
rockwell_automationsafety_instrumented_systems_workstationAll – v1.2 (for Trusted Controllers)
rockwellautomationconnected_component_workbench<= 13.00.00
rockwellautomationisagraf_workbench6.0 – 6.6.9
rockwellautomationsafety_instrumented_systems_workstation<= 1.2

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability involves deserialization of untrusted data (CWE-502) in Rockwell Automation products; monitor for suspicious file open events in Connected Components Workbench, ISaGRAF Workbench, or Safety Instrumented Systems Workstation processes that may trigger deserialization of crafted malicious objects.
  • Exploitation requires local user interaction (e.g., opening a malicious file); monitor for unexpected child process spawning from Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 through v6.6.9), or Safety Instrumented Systems Workstation (v1.2 and prior) processes.
  • Consider deploying Microsoft AppLocker allowlisting rules targeting the affected Rockwell Automation application executables to detect or block unauthorized code execution attempts originating from these processes.
  • ·No known public exploits specifically target this vulnerability at time of advisory publication; exploitation is local (not remotely exploitable), requiring a user to open a malicious serialized file.
  • ·Attack vector is local with no privilege required but requires user interaction (CVSS AV:L/AC:L/PR:N/UI:R/S:C); scope is Changed with High impact on Confidentiality, Integrity, and Availability.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.