Lucene search
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeZDI-23-086HistoryJan 18, 2023 - 12:00 a.m.
Delta Electronics InfraSuite Device Master CtrlLayerNWCmd_FileOperation Opcode 512 Directory Traversal Remote Code Execution Vulnerability
2023-01-1800:00:00
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
www.zerodayinitiative.com
7
delta electronics
infrasuite
device master
ctrllayernwcmd_fileoperation
opcode 512
directory traversal
remote code execution
vulnerability
authentication bypass
user-supplied path
administrator
EPSS
0.004
Percentile
73.0%
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics InfraSuite Device Master. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within CtrlLayerNWCmd_FileOperation, opcode 512. When parsing the fileName element, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of an administrator.
Related
zdi
zdi
Delta Industrial Automation InfraSuite Device Master CtrlLayerNWCmd_FileOperation Directory Traversal Arbitrary File Deletion Vulnerability
2022-10-27 00:00:00
nvd
nvd
CVE-2022-41657
2022-10-31 20:15:13
prion
prion
Remote code execution
2022-10-31 20:15:00
cvelist
cvelist
CVE-2022-41657
2022-10-31 19:24:37
cve
cve
CVE-2022-41657
2022-10-31 20:15:13
ics
ics
Delta Electronics InfraSuite Device Master (Update A)
2023-01-18 12:00:00