CVE-2022-45127

Summary

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 is vulnerable to cross-site request forgery in its backup services. An attacker could take advantage of this vulnerability to execute arbitrary backup operations and cause a denial-of-service condition.

Affected Software

VendorProductVersion RangeStatus
SewioRTLS Studio2.0.0 <= 2.6.2affected

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

Workarounds

Sewio also recommends the following workarounds to reduce the risk of exploitation:

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 .

    • Locate control system networks and remote devices behind firewalls and isolate them from business networks.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References