Risk evaluation has revealed that a vulnerability exists in the web server of a certain device, which could allow a malicious actor with low privileges to gain root access and send malicious commands to managed devices. CVE-2022-42139 has been assigned to this vulnerability, and a CVSS v3 base score of 9.9 has been calculated. Delta Electronics has patched the vulnerability in Version 2.5.2 and recommends all users update their device firmware to that version or later. CISA recommends users take defensive measures to minimize the risk of exploitation, such as minimizing network exposure for all control system devices and/or systems, and ensuring they are not accessible from the Internet. Additionally, CISA recommends using secure methods such as Virtual Private Networks when remote access is required. Organizations observing suspicious activity should report their findings to CISA for tracking and correlation against other incidents. CISA provides a section for control systems security recommended practices on its ICS webpage, as well as several products detailing cyber defense best practices.
This Cyber News was published on us-cert.cisa.gov. Publication date: Thu, 02 Feb 2023 17:44:03 +0000