Cyber Resilience

CVE-2022-28620

Critical

Published: 24 June 2022

Published
24 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0069 72.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28620 is a critical-severity an unspecified weakness vulnerability in Hpe Cray Ex Supercomputers Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 27.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis…

more

controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27; All Slingshot versions prior to 1.7.2; All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27. HPE has provided a software update to resolve this vulnerability in HPE Cray Legacy Shasta System Solutions, HPE Slingshot, and HPE Cray EX Supercomputers.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hpe
slingshot firmware
≤ 1.7.2
hpe
cray ex supercomputers firmware
1.4.27, 1.5.33, 1.6.27
hpe
cray sh supercomputer air cooled base system code firmware
1.4.27, 1.5.33, 1.6.27
hpe
cray sh supercomputer liquid cooled base system code firmware
1.4.27, 1.5.33, 1.6.27
hpe
cray sh supercomputer liquid cooled tds base system code firmware
1.4.27, 1.5.33, 1.6.27

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References