CVE-2022-31484

Name of the Vulnerable Software and Affected Versions HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 versions prior to 1.29

Description The issue allows an unauthenticated attacker to send a specially crafted network packet to delete a user from the web interface. This could restrict access to the web interface for legitimate users, potentially requiring them to use the default user dip switch procedure to regain access. The vulnerability is related to errors in the security mechanisms of the HID Mercury programmable logic controllers' firmware.

Recommendations For versions prior to 1.29, update the firmware to version 1.29 or later to resolve the issue. As a temporary workaround, consider restricting access to the web interface to prevent exploitation until a patch is available. Avoid using the default user dip switch procedure unless necessary, as it may be required to regain access in case of an attack. At the moment, there is no information about additional mitigation measures.