Cyber Resilience

CVE-2022-1018

Medium

Published: 01 April 2022

Published
01 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0914 92.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1018 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Rockwellautomation Connected Components Workbench. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2022-1018 is an XML external entity (XXE) flaw under CWE-611 that affects an application when it opens a solution file. The root cause is an unsafe call inside a dynamic link library that performs XML processing without disabling external entity resolution.

An unauthenticated local attacker can supply a crafted solution file and trick a user into opening it. Successful exploitation allows the attacker to read arbitrary local files and exfiltrate their contents to a remote server, producing a loss of confidentiality while leaving integrity and availability unaffected. The CVSS 3.1 score is 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

CISA has published ICS advisories (ICSA-22-088-01) that address the issue. The EPSS score has remained flat at its recorded peak of 0.0914.

EU & UK References

Vulnerability details

When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local…

more

files to a remote web server, leading to a loss of confidentiality.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rockwellautomation
connected components workbench
≤ 12.0
rockwellautomation
isagraf
≤ 6.6.9
rockwellautomation
safety instrumented systems workstation
≤ 1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References