1. EXECUTIVE SUMMARY
- CVSS v4 7.0
- ATTENTION: Low Attack Complexity
- Vendor: Beckhoff Automation
- Equipment: TwinCAT Package Manager
- Vulnerability: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
2. RISK EVALUATION
Successful exploitation this vulnerability could allow a local attacker with administrative access rights to execute arbitrary OS commands on the affected system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Beckhoff Automation products are affected:
- TwinCAT Package Manager: Versions prior to 1.0.603.0
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
A local user with administrative access rights can enter specially crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.
CVE-2024-8934 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-8934. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufact
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: