CVE-2022-25359
published 2022-02-26CVE-2022-25359: On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files.
PriorityP278critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
37.30%
98.3th percentile
On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iclinks | scadaflex_ii_firmware | — | — |
| iclinks | scadaflex_ii_firmware | — | — |
| iclinks | scadaflex_ii_firmware | — | — |
| iclinks | scadaflex_ii_firmware | — | — |
| iclinks | scadaflex_ii_firmware | — | — |
| iclinks | scadaflex_ii_firmware | — | — |
| iclinks | weblib | — | — |
| iclinks | weblib | — | — |
| iclinks | weblib | — | — |
| iclinks | weblib | — | — |
| iclinks | weblib | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x72\x57\x31\x32\x49\x63\x4c\x5f\x44\x61\x74\x5f\x4e
- →Monitor for unauthenticated HTTP POST requests to /d.php with query parameters matching the pattern ?N<number>,73,<filename>~<unix_timestamp> — this is the file upload/overwrite endpoint used by the exploit. ↗
- →Monitor for unauthenticated HTTP GET requests to /rW12IcL_Dat_N<number>,0=1~<unix_timestamp> — this is the file delete endpoint used by the exploit. ↗
- →The exploit response check for the delete operation looks for the byte string 'rW12IcL_Dat_N' in the HTTP response body; alert on any HTTP traffic containing this string. ↗
- →Successful file upload response contains the string '100'; monitor for HTTP POST responses to /d.php returning '100' as an indicator of successful exploitation. ↗
- →Uploaded files are placed in the /l/ directory on the device; monitor for unexpected files appearing under http://<controllerip>/l/. ↗
- →The exploit targets the SCADA HTTP Server with no authentication required; any HTTP request to /d.php or /rW12IcL_Dat_N from an external/untrusted source should be treated as suspicious. ↗
- ·The default AES encryption key hardcoded in the device firmware is publicly known and should be treated as compromised. ↗
- ·Industrial Control Links has closed its business; this product is effectively end-of-life with no vendor patches forthcoming. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Industrial Control Links ScadaFlex II SCADA Controllers
cisa_ics·2023-04-06·CVSS 9.1
[CRITICAL] Industrial Control Links ScadaFlex II SCADA Controllers
ICS Advisory
##
Industrial Control Links ScadaFlex II SCADA Controllers
Release DateApril 06, 2023
Alert CodeICSA-23-096-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.1
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Industrial Control Links
- Equipment: ScadaFlex II SCADA Controllers
- Vulnerability: External Control of File Name or Path
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated attacker to overwrite, delete, or create files.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Industrial Control Links ScadaFlex II SCADA Controllers are affected:
- SW: 1.03.07 (build 317), WebLib: 1.24
- SW: 1.02.20 (build 286), WebLib: 1.24
- SW: 1.0
GHSA
GHSA-cwqx-fr79-h3cp: On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1
ghsa_unreviewed·2022-02-27
CVE-2022-25359 [CRITICAL] CWE-287 GHSA-cwqx-fr79-h3cp: On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1
On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files.
No detection rules found.
No writeups or analysis indexed.
http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdfhttps://packetstormsecurity.com/files/166103/ICL-ScadaFlex-II-SCADA-Controllers-SC-1-SC-2-1.03.07-Remote-File-Modification.htmlhttp://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdfhttps://packetstormsecurity.com/files/166103/ICL-ScadaFlex-II-SCADA-Controllers-SC-1-SC-2-1.03.07-Remote-File-Modification.html
2022-02-26
Published