CVE-2022-40202

Name of the Vulnerable Software and Affected Versions Delta Electronics InfraSuite Device Master versions 00.00.01a and prior

Description The database backup function in the software lacks proper authentication, allowing an attacker to provide malicious serialized objects. When deserialized, these objects could activate an opcode for a backup scheduling function without authentication. This function enables the attacker to designate all function arguments and the file to be executed, potentially allowing them to start any new process and achieve remote code execution.

Recommendations For versions 00.00.01a and prior, consider disabling the backup scheduling function until a patch is available to prevent potential remote code execution. Restrict access to the ExeCommandInCommandLineMode to minimize the risk of exploitation. Avoid using the function arguments and file execution features in the affected software until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.