Team82 has developed a novel technique called the Evil PLC Attack in which programmable logic controllers (PLCs) are weaponized and used to compromise engineering workstations. An attacker with a foothold on an engineering workstation can have access to anything else on the OT network to which an engineer connects that machine, including other PLCs.
CWE-35 Path Traversal:
011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8
CWE-522 Insufficiently Protected Credentials:
011209 Intercom does not properly store or protect web server admin credentials.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'):
011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.
CyberData recommends users update to v22.0.1
CVSS v3: 5.3
CWE-306 Missing Authentication for Critical Function:
011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-288 Authentication Bypass Using an Alternate Path or Channel:
011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8
