cbcvebase.
CVE-2022-25359
published 2022-02-26

CVE-2022-25359: On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files.

PriorityP278critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
37.30%
98.3th percentile
On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files.

Affected

11 ranges
VendorProductVersion rangeFixed in
iclinksscadaflex_ii_firmware
iclinksscadaflex_ii_firmware
iclinksscadaflex_ii_firmware
iclinksscadaflex_ii_firmware
iclinksscadaflex_ii_firmware
iclinksscadaflex_ii_firmware
iclinksweblib
iclinksweblib
iclinksweblib
iclinksweblib
iclinksweblib

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<controllerip>/d.php?N<filepos>,73,<filename>~<timestamp>
urlhttp://<controllerip>/rW12IcL_Dat_N<filepos>,0=1~<timestamp>
path/d.php
path/rW12IcL_Dat_N
otherAES Encryption Key = 'ABCD1234abcd:ICL'
bytes
\x72\x57\x31\x32\x49\x63\x4c\x5f\x44\x61\x74\x5f\x4e
  • Monitor for unauthenticated HTTP POST requests to /d.php with query parameters matching the pattern ?N<number>,73,<filename>~<unix_timestamp> — this is the file upload/overwrite endpoint used by the exploit.
  • Monitor for unauthenticated HTTP GET requests to /rW12IcL_Dat_N<number>,0=1~<unix_timestamp> — this is the file delete endpoint used by the exploit.
  • The exploit response check for the delete operation looks for the byte string 'rW12IcL_Dat_N' in the HTTP response body; alert on any HTTP traffic containing this string.
  • Successful file upload response contains the string '100'; monitor for HTTP POST responses to /d.php returning '100' as an indicator of successful exploitation.
  • Uploaded files are placed in the /l/ directory on the device; monitor for unexpected files appearing under http://<controllerip>/l/.
  • The exploit targets the SCADA HTTP Server with no authentication required; any HTTP request to /d.php or /rW12IcL_Dat_N from an external/untrusted source should be treated as suspicious.
  • ·The default AES encryption key hardcoded in the device firmware is publicly known and should be treated as compromised.
  • ·Industrial Control Links has closed its business; this product is effectively end-of-life with no vendor patches forthcoming.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.