Cyber Resilience

CVE-2022-37122

HighPublic PoC

Published: 31 August 2022

Published
31 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7093 98.7th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37122 is a high-severity Path Traversal (CWE-22) vulnerability in Carel Applica. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Carel pCOWeb HVAC BACnet Gateway version 2.1.0, with firmware revisions A2.1.0 through B2.1.0 and application software 2.15.4A (v16 13020200), contains an unauthenticated arbitrary file disclosure vulnerability tracked as CVE-2022-37122. The flaw resides in the logdownload.cgi Bash script, which accepts a file parameter via HTTP GET without proper validation, allowing directory traversal sequences to retrieve arbitrary files on the device.

An unauthenticated remote attacker can supply crafted requests to the web interface and read sensitive configuration files, credentials, or other restricted content hosted on the gateway. The vulnerability carries a CVSS 3.1 score of 7.5, reflecting network-accessible exploitation with high confidentiality impact and no required privileges or user interaction.

Public references from Zero Science and Packet Storm document proof-of-concept exploits but contain no vendor statements on patches or mitigation steps. The associated EPSS score has remained at its recorded peak of 0.7093 without an observable climb from a lower baseline.

EU & UK References

Vulnerability details

Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified…

more

before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

carel
pcoweb card firmware
a2.1.0 — b.2.1.0
carel
applica
16_13020200, 2.154a
carel
pcoweb hvac bacnet gateway
2.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References