CVE-2022-30269

Name of the Vulnerable Software and Affected Versions Motorola ACE1000 RTUs through 2022-05-02

Description The issue is related to the mishandling of application integrity in Motorola ACE1000 RTUs. These devices allow for custom application installation via the STS software, the C toolkit, or the ACE1000 Easy Configurator. Application images are uploaded via the Web UI in the case of the Easy Configurator, or transferred and installed using SFTP/SSH in the case of the C toolkit. The application images lack authentication, such as firmware signing, and rely only on insecure checksums for integrity checks. This can be exploited by a remote attacker to execute arbitrary code.

Recommendations For Motorola ACE1000 RTUs through 2022-05-02, consider disabling the custom application installation feature via the STS software, the C toolkit, or the ACE1000 Easy Configurator until a patch is available. Restrict access to the Web UI and SFTP/SSH to minimize the risk of exploitation. Avoid using insecure checksums for integrity checks and implement a secure authentication mechanism, such as firmware signing, to ensure the integrity of application images. At the moment, there is no information about a newer version that contains a fix for this vulnerability.