Login Sign Up

CVE-2022-41976

9.9 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2022-41976 is a privilege escalation vulnerability in Scada-LTS that allows authenticated low-privileged users to elevate their privileges to administrator level by modifying their user profile. This affects Scada-LTS installations with version 2.7.1.1 build 2948559113 where user accounts exist.

💻 Affected Systems

Products:
  • Scada-LTS
Versions: 2.7.1.1 build 2948559113
Operating Systems: Any OS running Scada-LTS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires at least one low-privileged user account to be present. The vulnerability exists in the user profile update functionality.

📦 What is this software?

Scada Lts by Scada Lts

View all CVEs affecting Scada Lts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with any authenticated account can gain full administrative control over the SCADA system, potentially manipulating industrial processes, disabling safety controls, or exfiltrating sensitive operational data.

🟠

Likely Case

Malicious insiders or compromised low-privilege accounts escalate to administrator privileges, gaining unauthorized access to critical SCADA functions and configuration settings.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the SCADA application layer, though administrative compromise remains significant.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward via web interface or API calls. Public blog post details the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.7.1.1 build 2948559113

Vendor Advisory: https://github.com/SCADA-LTS/Scada-LTS/releases

Restart Required: Yes

Instructions:

1. Backup current installation and database. 2. Download latest Scada-LTS release from GitHub. 3. Replace affected files with patched version. 4. Restart Scada-LTS service. 5. Verify user role permissions are functioning correctly.

🔧 Temporary Workarounds

Temporary User Role Restriction

all

Disable user profile modification for non-admin users via application configuration or database constraints.

# Modify application configuration to restrict profile updates
# Database query: UPDATE users SET can_edit_profile = 0 WHERE role != 'admin'

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Scada-LTS from untrusted networks
  • Remove all non-essential user accounts and implement multi-factor authentication for remaining accounts

🔍 How to Verify

Check if Vulnerable:

Check Scada-LTS version in admin interface or via application files. Version 2.7.1.1 build 2948559113 is vulnerable.

Check Version:

# Check version in Scada-LTS web interface under System Information or via application.properties file

Verify Fix Applied:

After patching, attempt to modify user role as low-privileged user - this should fail with proper authorization error.

📡 Detection & Monitoring

Log Indicators:

  • Unusual user role change events
  • Multiple failed authorization attempts followed by successful privilege escalation
  • User profile update requests from low-privilege accounts

Network Indicators:

  • HTTP POST requests to user profile update endpoints from unexpected sources
  • Unusual administrative API calls from non-admin IP addresses

SIEM Query:

source="scada-lts" AND (event_type="user_update" OR event_type="role_change") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2022-41976
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: April 10, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON