CVE-2022-1794

Plaintext Storage of a password in CODESYS V3 OPC DA Server

CVSS 5.5 MEDIUMEPSS 0.2%CWE-256

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.5EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Jul 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

CODESYS · CODESYS OPC DA Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17129&token=1c1485c4a700c04f2069699f5be7558d276ca117&download=