CVE-2022-25249 – CVE-2022-25249 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2022-25249?

CVE-2022-25249 has a CVSS score of 7.5 (HIGH). CVE-2022-25249 is a directory traversal vulnerability in Axeda agent and Axeda Desktop Server for Windows that allows remote unauthenticated attackers to read arbitrary files from the file system. This affects all versions of Axeda agent except v6.9.2 and v6.9.3, and all versions of Axeda Desktop Server for Windows. Organizations using these products for industrial control system (ICS) management are at risk.

📋 TL;DR

CVE-2022-25249 is a directory traversal vulnerability in Axeda agent and Axeda Desktop Server for Windows that allows remote unauthenticated attackers to read arbitrary files from the file system. This affects all versions of Axeda agent except v6.9.2 and v6.9.3, and all versions of Axeda Desktop Server for Windows. Organizations using these products for industrial control system (ICS) management are at risk.

💻 Affected Systems

Products:

Axeda agent
Axeda Desktop Server for Windows

Versions: All versions except Axeda agent v6.9.2 and v6.9.3

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Axeda agent on all platforms and Axeda Desktop Server specifically on Windows. The vulnerability exists when connecting to a certain port on these services.

📦 What is this software?

Axeda Agent by Ptc

View all CVEs affecting Axeda Agent →

Axeda Desktop Server by Ptc

View all CVEs affecting Axeda Desktop Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive configuration files, credentials, or proprietary data, potentially enabling further attacks on industrial control systems.

🟠

Likely Case

Unauthenticated attackers reading system files, configuration data, or other sensitive information accessible via the web server.

🟢

If Mitigated

Limited file access restricted by web server permissions and file system ACLs.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-facing instances extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Directory traversal vulnerabilities are typically easy to exploit once the vulnerable endpoint is identified. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Axeda agent v6.9.2 and v6.9.3 are not vulnerable. For other versions, consult vendor advisories.

Vendor Advisory: https://www.ptc.com/en/support/article/CS363561

Restart Required: Yes

Instructions:

1. Review PTC advisory CS363561. 2. Upgrade to non-vulnerable versions. 3. Apply any available patches. 4. Restart affected services. 5. Verify the fix.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Axeda agent and Desktop Server ports to only trusted networks

Use firewall rules to block external access to Axeda services

Web Server Configuration Hardening

windows

Configure web server to reject directory traversal attempts

Configure web server to sanitize file path inputs

🧯 If You Can't Patch

Implement strict network segmentation to isolate Axeda systems from untrusted networks
Deploy web application firewall (WAF) rules to detect and block directory traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check if running vulnerable versions of Axeda agent or Axeda Desktop Server for Windows. Test for directory traversal by attempting to access files outside web root.

Check Version:

Check Axeda agent/Desktop Server version through administration interface or configuration files

Verify Fix Applied:

Verify version is not vulnerable (Axeda agent v6.9.2/v6.9.3 or patched). Test that directory traversal attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Multiple failed attempts to access files with ../ patterns
Unusual file access patterns from external IPs

Network Indicators:

HTTP requests containing ../ patterns to Axeda service ports
Unusual file downloads from Axeda services

SIEM Query:

source="axeda" AND (uri="*../*" OR uri="*..\\*")

📊 Metadata

CVE ID: CVE-2022-25249

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: March 16, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01 Mitigation,Third Party Advisory,US Government Resource
https://www.ptc.com/en/support/article/CS363561 Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01 Mitigation,Third Party Advisory,US Government Resource
https://www.ptc.com/en/support/article/CS363561 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25249, you might also want to check these: