Cyber Resilience

CVE-2022-37012

High

Published: 29 March 2023

Published
29 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0691 91.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37012 is a high-severity Improper Update of Reference Count (CWE-911) vulnerability in Unified-Automation Opc Ua C\+\+ Demo Server. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

This vulnerability affects Unified Automation OPC UA C++ Demo Server version 1.7.6-537 and resides in the OpcUa_SecureListener_ProcessSessionCallRequest method. A remote attacker can submit a specially crafted OPC UA message that causes the server to mishandle a reference count, triggering a denial-of-service condition. The issue carries a CVSS 3.1 score of 7.5 and maps to CWE-911; no authentication or user interaction is required.

An unauthenticated attacker with network access to an affected installation can repeatedly send the malicious message to crash or hang the server, disrupting any OPC UA clients that depend on it. Because the flaw is triggered at the protocol-message level, exploitation requires only the ability to reach the server’s listening port.

Vendor documentation for the 1.7.7 release and the corresponding Zero Day Initiative advisory ZDI-22-1030 indicate that the reference-count handling error has been corrected in that update. Administrators are advised to upgrade from 1.7.6-537 to 1.7.7 or later to eliminate the flaw.

The associated EPSS score has remained flat at 0.0691 since disclosure, indicating no significant increase in observed exploitation interest.

EU & UK References

Vulnerability details

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation OPC UA C++ Demo Server 1.7.6-537. Authentication is not required to exploit this vulnerability. The specific flaw exists within the OpcUa_SecureListener_ProcessSessionCallRequest method. A crafted…

more

OPC UA message can force the server to incorrectly update a reference count. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-16927.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

unified-automation
opc ua c\+\+ demo server
1.7.6.537

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References