Cyber Resilience

CVE-2022-2329

Critical

Published: 01 February 2023

Published
01 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0383 88.4th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2329 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Schneider-Electric Interactive Graphical Scada System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A CWE-190 integer overflow vulnerability affects the IGSS Data Server component IGSSdataServer.exe in versions prior to V15.0.0.22073. The flaw can produce a heap-based buffer overflow when the server processes multiple specially crafted messages, resulting in denial of service or potential remote code execution. The issue carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low attack complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can send a sequence of malicious messages over the network to trigger the overflow. Successful exploitation may allow arbitrary code execution or a crash of the data server, disrupting industrial control system operations that rely on IGSS.

Schneider Electric’s security notification SEVD-2022-102-01 advises users to upgrade IGSS Data Server to version 15.0.0.22073 or later. The advisory is available from the vendor’s download portal and contains the official remediation guidance.

The associated EPSS score remains low, with a recorded peak of 0.0580 that has since receded to 0.0383.

EU & UK References

Vulnerability details

A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions…

more

prior to V15.0.0.22073)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

schneider-electric
interactive graphical scada system
≤ 15.0.0.22074

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References