Team82’s research agenda in 2022 reflected our commitment to securing the software and firmware at the heart of connected cyber-physical systems.
Our work has evolved beyond a 100% focus on operational technology to include the breadth of the extended Internet of things (XIoT). In 2022, we privately disclosed and reported on 119 vulnerabilities affecting some of the biggest automation, healthcare, and IoT providers in the world. We worked hard to establish relationships with these companies, refine coordinated vulnerability disclosure and ensure the security of products central to the services critical to our way of life.
We’d like to recap Team82’s year and focus on some of our favorite research, interactions with the security community via conference talks, and open source tools.
Team82 prioritized in 2022 its understanding of exploitable weaknesses in programmable logic controllers (PLCs), the true hub of industrial automation processes across critical industries. The three research blogs linked below represent the spectrum of threats to PLCs, innovation in attack techniques that advanced hackers could use to disrupt processes, and also represent the possible consequences of attacks against these devices.
Hiding Code on Rockwell Automation PLCs:
Summary: Two vulnerabilities that could enable attackers to download modified code to a PLC, while an engineer at their workstation would see a process running as expected, reminiscent of Stuxnet and the Rogue7 attacks.
The Race to Native Code Execution in PLCs:
Summary: Team 82 developed a new, innovative method to extract heavily guarded, hardcoded, global private cryptographic keys embedded within the Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines. This research was presented at the S4x22 Conference.
EvilPLC Attack: Using a Controller as Predator Rather Than Prey:
Summary: Another novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations and further invade OT and enterprise networks. Download the full report here (free PDF). This attack was also demonstrated at DEF CON.
Blinding Snort: Breaking the MODBUS OT Preprocessor: An integer-overflow vulnerability that can caused the Snort Modbus OT preprocessor to enter an infinite while-loop, blinding Snort to traffic and preventing it from generating alerts.
Securing OT Network Management Systems: Siemens SINEC NMS: We chained two of 15 vulnerabilities found in the NMS to ultimately allow an attacker to remotely execute code on the system.
An Oil and Gas Weak Spot: Flow Computers: A path-traversal vulnerability in ABB TotalFlow flow computers and controllers allowed attackers to inject and execute arbitrary code. This research was presented at BSides Tel Aviv.
Exploiting URL Parsing Confusion: A Team82-Snyk collaboration researching 16 URL parsing libraries
Splunk Patches Indexer Vulnerability: A Splunk indexer vulnerability could leak memory
With Management Comes Risk: Finding Flaws in Filewave MDM: Two remotely exploitable vulnerabilities were discovered in this popular mobile device management platform.
Jumping NAT to Shut Down Electric Devices: Multiple vulnerabilities were found in Dataprobe’s iBoot PDU power distribution unit, impacting datacenters worldwide.
JS-ON, Security-Off: Abusing JSON-based SQL to Bypass WAF: A unique, generic web application firewall bypass affecting five leading WAF vendors was disclosed. This research was also presented at Black Hat EU.
Team82 also took part in important hacking competitions across the globe. While there is notoriety associated with these events, the main objective of these contests is to find previously undiscovered vulnerabilities, enter into a coordinated disclosure process with the affected vendor, and get these bugs fixed. Here’s a review of our participation in 2022.
Team82 won the S4x22 Capture the Flag event, accumulating 2500 points over two days to best the competition. Team82 donated its prize money to charity.
Team82 finished in third place overall in the ICS version of the Pwn2Own event held in parallel with the S4x22 in Miami. We competed in a number of categories, including OPC UA, HMI/SCADA, Control Servers, and Data Gateways.
Team82 finished in first place at the CISA-sponsored ICS Joint Working Group competition. The JWG facilitates communication between critical infrastructure operators in the U.S.
Director of research Sharon Brizinov competed at Pwn2Own Toronto, an IoT-centric version of Pwn2Own. Team82 found and exploited zero-day vulnerabilities in two vendors’ NAS products and a popular small office and home router.
Team82 often develops its own research tools to aid in its dissection and observation of leading automation, IoT, and healthcare devices. Some of these tools have great value to the security and research community as a whole, and we happily and freely share them. Here are two we made available in 2022.
A custom, generic EtherNet/IP and CIP stack detection tool that fulfills a number of use cases for cybersecurity researchers, OT engineers, and asset owners by helping them to identify and classify commercial and homegrown products using the same third-party ENIP stack code.
This research was presented at the SANS ICS Conference.
Arya is a tailor-made EICAR that can be used to generate custom-made, pseudo-malware files to trigger antivirus and endpoint detection and response tools just like the good old EICAR test file. Arya has a number of use cases, including malware research, YARA rule QA testing, and pressure testing a network with code samples built from YARA rules.
Finally, Team82 was recognized for its work on numerous fronts. We’re humbled by these honors and would like to call attention to two in particular.
Sharon Brizinov was named the SANS Institute’s Researcher of the Year during its Difference Makers Awards ceremony. See the announcement here:
Team82 was ranked No. 1 in Israel’s Responsible Weakness Discovery Program, recognizing its efforts to protect the nation’s cyber presence.
CWE-284 IMPROPER ACCESS CONTROL
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of PHP modules.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 7.5
CWE-35 PATH TRAVERSAL:
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in PHP resulting in a remote code execution.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 8.8
CWE-434 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 8.8
CWE-98 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM ('PHP REMOTE FILE INCLUSION')
An unauthenticated remote attacker can execute arbitrary PHP files and gain full access of the affected devices.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 9.8
CWE-305 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVSS v3: 9.8
