{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4780", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2022-12-28T09:17:05.953Z", "datePublished": "2022-12-28T14:21:36.185Z", "dateUpdated": "2025-04-10T20:31:03.789Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ISOS", "vendor": "elvexys", "versions": [{"lessThanOrEqual": "2.00", "status": "affected", "version": "1.81", "versionType": "patch"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Damian Pfammatter, Cyber-Defense Campus, armasuisse S+T"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Hulliger, Cyber-Defense Campus, armasuisse S+T"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "ISOS firmwares from <b>versions 1.81 to 2.00 </b>contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.<br>"}], "value": "ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2022-12-28T23:29:52.525Z"}, "references": [{"tags": ["release-notes"], "url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/isos-release-notes/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "ISOS firmwares from version 2.01 force the user to change the default credentials during the first login.<br>For\n ISOS fimwares up to version 2.00, the default credentials must be \nchanged by the user as documented in the \u00ab Initial staging \u00bb and \u00ab User \naccess \u00bb chapters. "}], "value": "ISOS firmwares from version 2.01 force the user to change the default credentials during the first login.\nFor\n ISOS fimwares up to version 2.00, the default credentials must be \nchanged by the user as documented in the \u00ab Initial staging \u00bb and \u00ab User \naccess \u00bb chapters. "}], "source": {"discovery": "EXTERNAL"}, "title": "hard coded credentials in elvexys ISOS firmwares", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:48:40.472Z"}, "title": "CVE Program Container", "references": [{"tags": ["release-notes", "x_transferred"], "url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/isos-release-notes/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T20:30:46.383689Z", "id": "CVE-2022-4780", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T20:31:03.789Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/isos-release-notes/", "tags": ["release-notes", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:48:40.472Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-4780", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-10T20:30:46.383689Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T20:30:57.991Z"}}], "cna": {"title": "hard coded credentials in elvexys ISOS firmwares", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Damian Pfammatter, Cyber-Defense Campus, armasuisse S+T"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Hulliger, Cyber-Defense Campus, armasuisse S+T"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "elvexys", "product": "ISOS", "versions": [{"status": "affected", "version": "1.81", "versionType": "patch", "lessThanOrEqual": "2.00"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "ISOS firmwares from version 2.01 force the user to change the default credentials during the first login.\nFor\n ISOS fimwares up to version 2.00, the default credentials must be \nchanged by the user as documented in the \u00ab Initial staging \u00bb and \u00ab User \naccess \u00bb chapters. ", "supportingMedia": [{"type": "text/html", "value": "ISOS firmwares from version 2.01 force the user to change the default credentials during the first login.<br>For\n ISOS fimwares up to version 2.00, the default credentials must be \nchanged by the user as documented in the \u00ab Initial staging \u00bb and \u00ab User \naccess \u00bb chapters. ", "base64": false}]}], "references": [{"url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/isos-release-notes/", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.\n", "supportingMedia": [{"type": "text/html", "value": "ISOS firmwares from <b>versions 1.81 to 2.00 </b>contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2022-12-28T23:29:52.525Z"}}}, "cveMetadata": {"cveId": "CVE-2022-4780", "state": "PUBLISHED", "dateUpdated": "2025-04-10T20:31:03.789Z", "dateReserved": "2022-12-28T09:17:05.953Z", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "datePublished": "2022-12-28T14:21:36.185Z", "assignerShortName": "NCSC.ch"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:elvexys:isos_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D7B2E55-E039-4214-9BD6-7287B4344D3B", "versionEndIncluding": "2.00", "versionStartIncluding": "1.81", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.\n"}, {"lang": "es", "value": "Los firmware ISOS de las versiones 1.81 a 2.00 contienen credenciales codificadas del instalador StreamX integrado que los integradores no est\u00e1n obligados a cambiar."}], "id": "CVE-2022-4780", "lastModified": "2024-11-21T07:35:55.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-12-29T00:15:09.657", "references": [{"source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/isos-release-notes/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://elvexys.com/products/xpg-gateway-rtu-protocol-converter/isos-release-notes/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "[email protected]", "type": "Primary"}]}

{}