Cyber Resilience

CVE-2022-22808

High

Published: 09 February 2022

Published
09 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22808 is a high-severity CSRF (CWE-352) vulnerability in Schneider-Electric Hmibscea53D1Edb Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A CWE-352: Cross-Site Request Forgery (CSRF) exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass. Affected Product: EcoStruxure EV Charging Expert…

more

(formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

schneider-electric
hmibscea53d1edb firmware
≤ 4.0.0.13
schneider-electric
hmibscea53d1eds firmware
≤ 4.0.0.13
schneider-electric
hmibscea53d1edm firmware
≤ 4.0.0.13
schneider-electric
hmibscea53d1edl firmware
≤ 4.0.0.13
schneider-electric
hmibscea53d1ess firmware
≤ 4.0.0.13
schneider-electric
hmibscea53d1esm firmware
≤ 4.0.0.13
schneider-electric
hmibscea53d1eml firmware
≤ 4.0.0.13

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

addresses: CWE-352

Detects anomalous request patterns consistent with cross-site request forgery.

References