CWE-121: STACK-BASED BUFFER OVERFLOW
The vulnerability exposes an "echo" service, in which an attacker-sent buffer to an attacker-chosen device address within the same subnet is copied to the stack with no boundary checks, hence resulting in stack overflow.

CWE-200: INFORMATION EXPOSURE
The vulnerability allows an unauthenticated attacker to read memory from an attacker-chosen device address within the same subnet.

CWE-287: IMPROPER AUTHENTICATION
The vulnerability allows an unauthenticated attacker to access memory ("write-what-where") from an attacker-chosen device address within the same subnet.

CWE-284: IMPROPER ACCESS CONTROL
Improper access control allows attackers in the adjacent network to change the instrument configuration.

CWE-284: IMPROPER ACCESS CONTROL
Improper access control to a service command allows attackers in the adjacent network to execute arbitrary code on the system through a crafted message.

CWE-434 : UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE
A vulnerability in the software update mechanism allows an attacker in adjacent network to overwrite arbitrary files on the system through a crafted update package.

CWE-78: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
Insecure permissions in a service interface may allow authenticated attackers in the adjacent network to execute arbitrary commands on the operating systems.

CWE-287 : IMPROPER AUTHENTICATION
Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.

DESERIALIZATION OF UNTRUSTED DATA CWE-502
A vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious file at a certain location on the filesystem. By default, this folder location requires the malicious user to be authenticated for this vulnerability to be successfully exploited.

INSUFFICIENT RESOURCE POOL CWE-410
An unauthenticated attacker sending a large HTTP request to the host where WinAC RTX is running may trigger a denial-of-service condition.

USE OF HARD-CODED CREDENTIALS CWE - 798
The affected product is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller. A limited application of the affected product may ship without setup and configuration instructions immediately available to the end user. The bulk of controllers go into applications requiring the GE commissioning engineer to change default configurations during the installation process.

IMPROPER AUTHORIZATION CWE-285
The affected product has an unsecured Telnet protocol that may allow a user to create an authenticated session using generic default credentials.

IMPROPER INPUT VALIDATION CWE-20
Specially crafted packets sent to Port 50000/UDP of the EN100 Ethernet communication modules could cause a denial-of-service condition on the affected device. A manual reboot is required to recover the service of the device.

IMPROPER AUTHORIZATION CWE-285
The affected products are vulnerable to a weakness in SNMP service, which allows unauthenticated users to modify the configuration via the service.

Unprivileged user can override the main service of 'PC WORX SRT' under the Phoenix Contact installation path, and therefore, escalate to run code as SYSTEM user and gain local privilege escalation.
A malicious user can leverage this knowledge and override the main 'PC WORX SRT' service with a rogue binary which will result with running malicious code as SYSTEM user.

PATH TRAVERSAL CWE-22
A directory traversal vulnerability in SharpZipLib used in the upgrade service in B&R Automation Studio allow unauthenticated users to write to certain local directories. The vulnerability is also known as "zip slip."

Read more: Claroty Researchers Uncover Vulnerabilities in Industrail Automation Software

CWE-325: MISSING REQUIRED CRYPTOGRAPHIC STEP
A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio enable unauthenticated users to perform MITM attacks via the B&R upgrade server.

Read more: Claroty Researchers Uncover Vulnerabilities in Industrail Automation Software

IMPROPER PRIVILEGE MANAGEMENT CWE-269
A privilege escalation vulnerability in the upgrade service in B&R Automation Studio could allow authenticated users to delete arbitrary files via an exposed interface.


Read more: Claroty Researchers Uncover Vulnerabilities in Industrail Automation Software

IMPROPER PRIVILEGE MANAGEMENT CWE-269
A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session.

IMPROPER ACCESS CONTROLS CWE-284
An unprotected logging route may allow an attacker to write endless log statements into the database without space limits or authentication. This results in consuming the entire available hard-disk space, causing a denial-of-service condition.

PATH TRAVERSAL CWE-22
An attacker could exploit this path traversal vulnerability by getting a user to visit a malicious page or open a malicious file.

IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347
SoftPAC's firmware files' signatures are not verified upon firmware update. This allows an attacker to replace legitimate firmware files with malicious files.

Read more: "Security Flaws in Software-Based PLCs Enable Remote Code Execution on Windows Box"

IMPROPER AUTHORIZATION CWE-285
SoftPAC communication does not include any credentials. This allows an attacker with network access to directly communicate with SoftPAC, including, for example, stopping the service remotely.

Read more: "Security Flaws in Software-Based PLCs Enable Remote Code Execution on Windows Box"

UNCONTROLLED SEARCH PATH ELEMENT CWE-427
SoftPAC does not specify the path of multiple imported .dll files. Therefore, an attacker can replace them and execute code whenever the service starts.

Read more: "Security Flaws in Software-Based PLCs Enable Remote Code Execution on Windows Box"

IMPROPER ACCESS CONTROL CWE-284
SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values.

Read more: "Security Flaws in Software-Based PLCs Enable Remote Code Execution on Windows Box"

CWE-306: Missing Authentication for Critical Function vulnerability exists which could cause a modification of device IP configuration (IP address, network mask and gateway IP address)

EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73
Paths specified within the zip files used to update the SoftPAC firmware are not sanitized. As a result, an attacker with user privileges can gain arbitrary file write access with system access.

Read more: "Security Flaws in Software-Based PLCs Enable Remote Code Execution on Windows Box"

IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119
A memory corruption vulnerability exists in the algorithm that matches square brackets in the EDS subsystem. This may allow an attacker to craft specialized EDS files to crash the EDSParser COM object, leading to denial-of-service conditions.

Read more: "EDS Subsystem Vulnerabilities Expose OT Assets to Malicious File Delivery"

IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89
The EDS subsystem does not provide adequate input sanitization, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This may lead to denial-of-service (DoS) conditions or allow an attacker to manipulate the SQL engine to write or modify files on the system.

Read more: "EDS Subsystem Vulnerabilities Expose OT Assets to Malicious File Delivery"