CVE-2023-22804

Published Feb 15, 2023

Last updated a year ago

Overview

Description: LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to create users on the PLC. This could allow an attacker to create and use an account with elevated privileges and take control of the device.
Source: ics-cert@hq.dhs.gov
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

ics-cert@hq.dhs.gov: CWE-306

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:ls-electric:xbc-dn32u_firmware:01.80:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "242DFA36-841D-457E-B4B7-592A73993C76"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:ls-electric:xbc-dn32u:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "78A41BC8-F37E-41EE-BA99-AC992AC24F32"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Social media

Risk scores

CVSS 3.1

Weaknesses

Configurations

References