Cyber Resilience

CVE-2022-24313

Critical

Published: 09 February 2022

Published
09 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0777 92.1th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24313 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Schneider-Electric Interactive Graphical Scada System Data Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A CWE-120 buffer copy vulnerability affects the Interactive Graphical SCADA System Data Server versions 15.0.0.22020 and earlier. The flaw permits a stack-based buffer overflow when the server processes a specially crafted network message, potentially allowing remote code execution. The issue carries a CVSS 3.1 score of 9.8 with network attack vector, no required authentication or user interaction, and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can send a malicious message directly to the exposed Data Server service. Successful exploitation results in arbitrary code execution on the affected host, enabling an adversary to take full control of the SCADA system component.

Schneider Electric security advisory SEVD-2022-039-01 and the corresponding Zero Day Initiative report ZDI-22-325 describe the issue and direct users to vendor-supplied patches or configuration guidance for remediation. The EPSS score has remained flat at 0.0777 with no observed upward trajectory after disclosure.

EU & UK References

Vulnerability details

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server…

more

(V15.0.0.22020 and prior)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

schneider-electric
interactive graphical scada system data server
≤ 15.0.0.22020

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References