CVE-2022-31486

Name of the Vulnerable Software and Affected Versions HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 versions prior to 1.303 for the LP series and 1.297 for the EP series

Description The issue exists due to the lack of measures to neutralize special elements used in the operating system command. An authenticated attacker can send a specially crafted route to the "edit route.cgi" binary and have it execute shell commands. This can allow the attacker to monitor all communications sent to and from the device, modify onboard relays, change configuration files, or cause the device to become unstable.

Recommendations For HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 with firmware versions prior to 1.303 for the LP series and 1.297 for the EP series, update the firmware to a version that contains the fix for this issue. As a temporary workaround, consider restricting access to the "edit route.cgi" binary until a patch is available. Avoid using the "edit route.cgi" binary for executing shell commands until the issue is resolved.