CVE-2022-2758

Summary

Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC’s communication traffic.

Affected Software

VendorProductVersion RangeStatus
LS Industrial Systems (LSIS) Co. Ltd LS ElectricXG5000All versions < V4.0affected
LS Industrial Systems (LSIS) Co. Ltd LS ElectricPLC: XGB-XECHAll versions < V1.30affected
LS Industrial Systems (LSIS) Co. Ltd LS ElectricPLC: XGB-XBCHAll versions < V1.90affected
LS Industrial Systems (LSIS) Co. Ltd LS ElectricPLC: XGB-XBMSAll versions < V3.00affected
LS Industrial Systems (LSIS) Co. Ltd LS ElectricPLC: XGR-CPUHAll versions < V1.80affected
LS Industrial Systems (LSIS) Co. Ltd LS ElectricPLC: XGI-CPUU/UD/H/S/EAll versions < V3.20affected
LS Industrial Systems (LSIS) Co. Ltd LS ElectricPLC: XGK-CPUU/H/A/S/EAll versions < V3.50affected

Weaknesses

  • CWE-326: CWE-326 Inadequate Encryption Strength

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References