CVE-2022-41657
Published: 31 October 2022
Summary
CVE-2022-41657 is a critical-severity Path Traversal (CWE-22) vulnerability in Deltaww Infrasuite Device Master. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 12.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior contain CVE-2022-41657, a path traversal flaw (CWE-22) that allows attacker-controlled serialized data already present in memory to be passed directly to file operation APIs. Successful abuse can create arbitrary files that are subsequently used in those same APIs, resulting in remote code execution. The vulnerability received a CVSS v3.1 score of 9.8.
An unauthenticated attacker with network access can exploit the issue without user interaction or credentials, enabling arbitrary file writes that lead to full remote code execution on the affected industrial management system.
CISA advisory ICSA-22-298-07 addresses the vulnerability and outlines recommended mitigations for operators of the impacted Delta Electronics software.
The associated EPSS score rose materially from a low baseline to a peak of 0.1727 on 2025-12-11 before receding to its current value of 0.0347, indicating a period of increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-44844
Vulnerability details
Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior allow attacker provided data already serialized into memory to be used in file operation application programmable interfaces (APIs). This could create arbitrary files, which could be used in API operations and…
more
could ultimately result in remote code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.