cbcvebase.
CVE-2022-2003
published 2022-08-31

CVE-2022-2003: AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC…

PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.60%
44.2th percentile
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;

Affected

23 ranges
VendorProductVersion rangeFixed in
automationdirectd0-06aa_firmware< 2.722.72
automationdirectd0-06ar_firmware< 2.722.72
automationdirectd0-06da_firmware< 2.722.72
automationdirectd0-06dd1-d_firmware< 2.722.72
automationdirectd0-06dd1_firmware< 2.722.72
automationdirectd0-06dd2-d_firmware< 2.722.72
automationdirectd0-06dd2_firmware< 2.722.72
automationdirectd0-06dr-d_firmware< 2.722.72
automationdirectd0-06dr_firmware< 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06AA < 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06AR < 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06DA < 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06DD1 < 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06DD1-D < 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06DD2 < 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06DD2-D < 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06DR < 2.722.72
automationdirectdirectlogic_d0-06_series_cpus>= D0-06DR-D < 2.722.72
github.commigueldeicaza_swiftterm>= 0 < 1.2.01.2.0
juniperjunos_os
juniperqfx_series
msrccbl2_kernel_5.15.26.1-1_on_cbl_mariner_2.0
msrccm1_kernel_5.10.102.1-1_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect network traffic associated with a password retrieval exploit targeting DirectLogic PLCs leveraging CVE-2022-2003 — monitor for specially crafted Ethernet packets sent to DirectLogic PLCs that elicit a cleartext password response.
  • Detect specially crafted Ethernet packets sent to DirectLogic PLCs (H0-ECOM/H0-ECOM100 modules) that cause the PLC to respond with its password in cleartext — inspect for anomalous PLC responses containing credential data over Ethernet.
  • Detect specially crafted serial messages sent to the CPU serial port of DirectLogic PLCs that cause the PLC to respond with its password in cleartext — monitor serial communication channels for anomalous password disclosure responses.
  • ·CVE-2022-2003 affects both serial and Ethernet attack vectors. The serial variant (ICSA-22-167-02) is NOT exploitable remotely, while the Ethernet variant (ICSA-22-167-03) IS exploitable remotely with low attack complexity — detection strategies must account for both communication paths.
  • ·No known public exploits specifically targeting these vulnerabilities were identified at time of advisory publication — detections should focus on anomalous PLC communication patterns rather than known exploit signatures.
  • ·Patched firmware will no longer respond with the password when requested with the specially crafted message; additionally, three incorrect password entries result in a 3-hour lockout — detection of repeated failed password attempts followed by lockout may indicate brute-force or exploit activity.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa7.3HIGH
vulncheck7.7HIGH
cisa9.8CRITICAL
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.