CVE-2022-2003
published 2022-08-31CVE-2022-2003: AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC…
PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.60%
44.2th percentile
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automationdirect | d0-06aa_firmware | < 2.72 | 2.72 |
| automationdirect | d0-06ar_firmware | < 2.72 | 2.72 |
| automationdirect | d0-06da_firmware | < 2.72 | 2.72 |
| automationdirect | d0-06dd1-d_firmware | < 2.72 | 2.72 |
| automationdirect | d0-06dd1_firmware | < 2.72 | 2.72 |
| automationdirect | d0-06dd2-d_firmware | < 2.72 | 2.72 |
| automationdirect | d0-06dd2_firmware | < 2.72 | 2.72 |
| automationdirect | d0-06dr-d_firmware | < 2.72 | 2.72 |
| automationdirect | d0-06dr_firmware | < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06AA < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06AR < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06DA < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06DD1 < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06DD1-D < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06DD2 < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06DD2-D < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06DR < 2.72 | 2.72 |
| automationdirect | directlogic_d0-06_series_cpus | >= D0-06DR-D < 2.72 | 2.72 |
| github.com | migueldeicaza_swiftterm | >= 0 < 1.2.0 | 1.2.0 |
| juniper | junos_os | — | — |
| juniper | qfx_series | — | — |
| msrc | cbl2_kernel_5.15.26.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_kernel_5.10.102.1-1_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect network traffic associated with a password retrieval exploit targeting DirectLogic PLCs leveraging CVE-2022-2003 — monitor for specially crafted Ethernet packets sent to DirectLogic PLCs that elicit a cleartext password response. ↗
- →Detect specially crafted Ethernet packets sent to DirectLogic PLCs (H0-ECOM/H0-ECOM100 modules) that cause the PLC to respond with its password in cleartext — inspect for anomalous PLC responses containing credential data over Ethernet. ↗
- →Detect specially crafted serial messages sent to the CPU serial port of DirectLogic PLCs that cause the PLC to respond with its password in cleartext — monitor serial communication channels for anomalous password disclosure responses. ↗
- ·CVE-2022-2003 affects both serial and Ethernet attack vectors. The serial variant (ICSA-22-167-02) is NOT exploitable remotely, while the Ethernet variant (ICSA-22-167-03) IS exploitable remotely with low attack complexity — detection strategies must account for both communication paths. ↗
- ·No known public exploits specifically targeting these vulnerabilities were identified at time of advisory publication — detections should focus on anomalous PLC communication patterns rather than known exploit signatures. ↗
- ·Patched firmware will no longer respond with the password when requested with the specially crafted message; additionally, three incorrect password entries result in a 3-hour lockout — detection of repeated failed password attempts followed by lockout may indicate brute-force or exploit activity. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa7.3HIGH
vulncheck7.7HIGH
cisa9.8CRITICAL
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: usbnet: Fix linkwatch use-after-free on disconnect
vendor_redhat·2025-06-18·CVSS 7.8
CVE-2022-50220 [HIGH] kernel: usbnet: Fix linkwatch use-after-free on disconnect
kernel: usbnet: Fix linkwatch use-after-free on disconnect
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix linkwatch use-after-free on disconnect
usbnet uses the work usbnet_deferred_kevent() to perform tasks which may
sleep. On disconnect, completion of the work was originally awaited in
->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic
commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":
https://git.kernel.org/tglx/history/c/0f138bbfd83c
The change was made because back then, the kernel's workqueue
implementation did not allow waiting for a single work. One had to wait
for completion of *all* work by calling flush_scheduled_work(), and that
could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex
held in ->ndo_
Juniper
CVE-2022-22216: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series al
vendor_juniper·2022-07-20·CVSS 4.3
CVE-2022-22216 [MEDIUM] CWE-200 CVE-2022-22216: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series al
CVE-2022-22216: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series allows an adjacent unauthenticated attacker to gain access to sensitive information. PTX1000 and PTX10000 Series, and QFX10000 Series and PTX5000 Series devices sometimes do not reliably pad Ethernet packets, and thus some packets can contain fragments of system memory or data from previous packets. This issue is also known as 'Etherleak' and often detected as CVE-2003-0001. This issue affects: Juniper Networks Junos OS on PTX1000 and PTX10000 Series: All versions prior to 18.4R3-S11; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to
CISA ICS
AutomationDirect DirectLOGIC with Ethernet (Update A)
cisa_ics·2022-06-16
AutomationDirect DirectLOGIC with Ethernet (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
AutomationDirect DirectLOGIC with Ethernet (Update A)
Last RevisedSeptember 20, 2022
Alert CodeICSA-22-167-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: AutomationDirect
- Equipment: DirectLOGIC with Ethernet Communication Modules
- Vulnerabilities: Uncontrolled Resource Consumption, Cleartext Transmission of Sensitive Information
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22.167-03 AutomationDirect DirectLOGIC with Ethernet that was published Ju
CISA ICS
AutomationDirect DirectLOGIC with Serial Communication (Update A)
cisa_ics·2022-06-16
AutomationDirect DirectLOGIC with Serial Communication (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
AutomationDirect DirectLOGIC with Serial Communication (Update A)
Last RevisedSeptember 20, 2022
Alert CodeICSA-22-167-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.7
- ATTENTION: Low attack complexity
- Vendor: AutomationDirect
- Equipment: DirectLOGIC with Serial Communication
- Vulnerability: Cleartext Transmission of Sensitive Information
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22.167-02 AutomationDirect DirectLOGIC with Serial Communication that was published June 16, 2022, on the ICS webpage on cisa.gov/
Red Hat
kernel: Executable Space Protection Bypass
vendor_redhat·2022-02-16·CVSS 7.8
CVE-2022-25265 [HIGH] CWE-281 kernel: Executable Space Protection Bypass
kernel: Executable Space Protection Bypass
In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.
A vulnerability was found in the Linux kernel when certain binary files have the exec-all attribute with gcc. This issue can cause the execution of bytes located in the non-executable regions of a file.
Statement: This vulnerability only applies when running 32 bits executables in an x86_64 kernel. The developer would need to intentionally make its app vulnerable by:
1) Compiling it to 32 bits
2) Remove the PT_GNU_STACK ELF field by compiling with an old GCC, using some tricky lin
Microsoft
In the Linux kernel through 5.16.10 certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g. with GCC 3.2.2 and Linux kernel 2.4.20). This can cause executio
vendor_msrc·2022-02-08·CVSS 7.8
CVE-2022-25265 [HIGH] CWE-913 In the Linux kernel through 5.16.10 certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g. with GCC 3.2.2 and Linux kernel 2.4.20). This can cause executio
In the Linux kernel through 5.16.10 certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g. with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information.
CISA
Microsoft Windows Server Buffer Overflow Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2017-7269 [CRITICAL] CWE-119 Microsoft Windows Server Buffer Overflow Vulnerability
Vulnerability: Microsoft Windows Server Buffer Overflow Vulnerability
Affected: Microsoft Internet Information Services (IIS)
Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 which allows remote attackers to execute code via a long header beginning with "If: <http://" in a PROPFIND request.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-7269
Remediation Due Date: 2022-05-03
GHSA
SwiftTerm Code Injection vulnerability
ghsa·2023-07-14·CVSS 7.3
CVE-2022-23465 [HIGH] CWE-94 SwiftTerm Code Injection vulnerability
SwiftTerm Code Injection vulnerability
### Impact
Attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
### Credit
These bugs were found and disclosed by David Leadbeater (@dgl at Github.com)
### Patches
Fixed in version ce596e0dc8cdb288bc7ed5c6a59011ee3a8dc171
### Workarounds
There are no workarounds available
### References
Similar exploits to this existed in the past, for terminal emulators:
https://nvd.nist.gov/vuln/detail/CVE-2003-0063
https://nvd.nist.gov/vuln/detail/CVE-2008-2383
Additional background and information is also available:
https://marc.info
GHSA
GHSA-cwvq-v3mj-c66c: AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the
ghsa_unreviewed·2022-09-01
CVE-2022-2003 [CRITICAL] CWE-319 GHSA-cwvq-v3mj-c66c: AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;
VulnCheck
automationdirect d0-06dd1_firmware Cleartext Transmission of Sensitive Information
vulncheck·2022·CVSS 7.7
CVE-2022-2003 [HIGH] automationdirect d0-06dd1_firmware Cleartext Transmission of Sensitive Information
automationdirect d0-06dd1_firmware Cleartext Transmission of Sensitive Information
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;
Affected: automationdirect d0-06dd1_firmware
Required Action: Apply remediations or mitigations per v
Suricata
GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt
suricata·2010-09-23
CVE-2003-0995 GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt
GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1; depth:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:8; metadata:created_at 2010_09_23, cve CVE_2003_0995, confidence Medium, signature_severity Informational, updated_at 2022_04_18;)
No public exploits indexed.
Dragos
OT Security Advisories
blogs_dragos·2025-09-17·CVSS 7.5
CVE-2024-432057 [HIGH] OT Security Advisories
## OT Security Advisories
## These advisories cover OT/ICS vulnerabilities discovered and disclosed by Dragos as an authorized CVE Numbering Authority (CNA).
Threat Level
Name
CVE ID
Vulnerability Type
Affects
Limited Threat
Maples Systems/Weintek HMI Panel and EBPro Software Vulnerabilities
CVE-2024-432057
CVE-2024-7710
Incorrect Permission Assignment for Critical Resource
Integrity check fails to identify out-of-band logic changes
Maple Systems and Weintek Brand HMI panels: iP Series: All versions, all models
iE Series: All versions, all models
eMT Series: All versions, all models
XE Series: All versions, all models
mTV Series: All versions, all models
Maple Systems and Weintek Brand HMI panels: iP Series: All versions, all models
iE Series: All versions, all models
eMT Ser
Dragos
New Knowledge Pack Released (KP-2022-008)
blogs_dragos·2022-11-16
New Knowledge Pack Released (KP-2022-008)
OT Cybersecurity Basics Build a stronger OT security strategy
5 Critical Controls SANS ICS framework for defense
Industrial Risk Management Quantifying OT risk and dependencies
Monitoring Threat Groups Know your adversary
Year in Review Report 9th annual threat report
OT Compliance NIS2, CAF v4, SOCI/SONS, TSA, & more
NERC CIP Dragos Alignment
INSM Compliance Path for NERC-CIP-015
RESOURCES
Threat Reports
Whitepapers
Datasheets
Solution Briefs
Case Studies
Blog
Webinars
Dragos Industrial Security Conference
COMMUNITY
OT-CERT Program
Community Defense Program
DRAGOS ACADEMY
On-Demand Training
About Dragos Safeguarding civilization
Leadership Experts in defense
Newsroom Up-to-date cyber news
Careers Current job openings
Event Calendar Connect in person
Dragos Indus
Dragos
The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
blogs_dragos·2022-07-14
The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
OT Cybersecurity Basics Build a stronger OT security strategy
5 Critical Controls SANS ICS framework for defense
Industrial Risk Management Quantifying OT risk and dependencies
Monitoring Threat Groups Know your adversary
Year in Review Report 9th annual threat report
OT Compliance NIS2, CAF v4, SOCI/SONS, TSA, & more
NERC CIP Dragos Alignment
INSM Compliance Path for NERC-CIP-015
RESOURCES
Threat Reports
Whitepapers
Datasheets
Solution Briefs
Case Studies
Blog
Webinars
Dragos Industrial Security Conference
COMMUNITY
OT-CERT Program
Community Defense Program
DRAGOS ACADEMY
On-Demand Training
About Dragos Safeguarding civilization
Leadership Experts in defense
Newsroom Up-to-date cyber news
Careers Current job openings
Event Calendar Connect in person
Dragos Indus
Bugzilla
CVE-2022-50220 kernel: usbnet: Fix linkwatch use-after-free on disconnect
bugzilla·2025-06-18·CVSS 7.8
CVE-2022-50220 [HIGH] CVE-2022-50220 kernel: usbnet: Fix linkwatch use-after-free on disconnect
CVE-2022-50220 kernel: usbnet: Fix linkwatch use-after-free on disconnect
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix linkwatch use-after-free on disconnect
usbnet uses the work usbnet_deferred_kevent() to perform tasks which may
sleep. On disconnect, completion of the work was originally awaited in
->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic
commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":
https://git.kernel.org/tglx/history/c/0f138bbfd83c
The change was made because back then, the kernel's workqueue
implementation did not allow waiting for a single work. One had to wait
for completion of *all* work by calling flush_scheduled_work(), and that
could deadlock when waiting for usbnet_deferred_kevent() with rtnl_m
2022-08-31
Published
Exploited in the wild