CVE-2022-25359 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2022-25359?

CVE-2022-25359 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows unauthenticated remote attackers to modify files on ICL ScadaFlex II SCADA controllers. Attackers can overwrite, delete, or create files without any authentication, potentially disrupting industrial control systems. This affects SC-1 and SC-2 controllers running version 1.03.07.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to modify files on ICL ScadaFlex II SCADA controllers. Attackers can overwrite, delete, or create files without any authentication, potentially disrupting industrial control systems. This affects SC-1 and SC-2 controllers running version 1.03.07.

💻 Affected Systems

Products:

ICL ScadaFlex II SCADA Controller SC-1
ICL ScadaFlex II SCADA Controller SC-2

Versions: 1.03.07

Operating Systems: Embedded/SCADA-specific OS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the affected firmware version are vulnerable in default configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to modify critical SCADA configuration files, disrupt industrial processes, cause physical damage, or establish persistent backdoors.

🟠

Likely Case

Unauthorized file modifications leading to service disruption, configuration changes, or data corruption affecting SCADA operations.

🟢

If Mitigated

Limited impact if controllers are isolated in air-gapped networks with strict access controls and file integrity monitoring.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows direct attacks from internet without any credentials.

🏢 Internal Only: HIGH - Even internally, any network access to these devices allows exploitation without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available on Packet Storm Security. Attack requires network access but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact ICL for firmware updates or replacement options.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate SCADA controllers in separate network segments with strict firewall rules

Access Control Lists

all

Implement strict network ACLs to limit access to SCADA controllers to authorized systems only

🧯 If You Can't Patch

Deploy network-based intrusion prevention systems (IPS) with rules to block exploitation attempts
Implement strict network segmentation and zero-trust architecture principles

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console. If version is 1.03.07, device is vulnerable.

Check Version:

Check via web interface at http://[device-ip]/status or via serial console connection

Verify Fix Applied:

Verify firmware has been updated to a version later than 1.03.07 or device has been replaced.

📡 Detection & Monitoring

Log Indicators:

Unauthorized file modification attempts
Unexpected file system changes
Authentication bypass logs

Network Indicators:

Unusual file transfer patterns to SCADA controllers
Unauthorized access attempts to SCADA network segments

SIEM Query:

source_ip=* AND dest_ip=[scada_ip] AND (protocol=HTTP OR protocol=FTP) AND action=file_modify

📊 Metadata

CVE ID: CVE-2022-25359

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-306

Published: February 26, 2022

Last Updated: November 21, 2024

🔗 References

http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf Product,Vendor Advisory
https://packetstormsecurity.com/files/166103/ICL-ScadaFlex-II-SCADA-Controllers-SC-1-SC-2-1.03.07-Remote-File-Modification.html Exploit,Third Party Advisory,VDB Entry
http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf Product,Vendor Advisory
https://packetstormsecurity.com/files/166103/ICL-ScadaFlex-II-SCADA-Controllers-SC-1-SC-2-1.03.07-Remote-File-Modification.html Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25359, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Scadaflex Ii Firmware by Iclinks

Scadaflex Ii Firmware by Iclinks

Scadaflex Ii Firmware by Iclinks

Scadaflex Ii Firmware by Iclinks

Scadaflex Ii Firmware by Iclinks

Scadaflex Ii Firmware by Iclinks

Weblib by Iclinks

Weblib by Iclinks

Weblib by Iclinks

Weblib by Iclinks

Weblib by Iclinks

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Access Control Lists

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities