CVE-2022-31480

Name of the Vulnerable Software and Affected Versions HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 versions prior to 1.302 for the LP series and 1.296 for the EP series

Description An unauthenticated attacker could arbitrarily upload firmware files to the target device, ultimately causing a Denial-of-Service (DoS). The attacker needs to have a properly signed and encrypted binary, and loading the firmware to the device triggers a reboot. This issue is related to errors in the security mechanisms of the HID Mercury programmable logic controllers' firmware.

Recommendations For HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 with firmware versions prior to 1.302 for the LP series and 1.296 for the EP series, update the firmware to a version that is 1.302 or later for the LP series and 1.296 or later for the EP series to resolve the issue. As a temporary workaround, consider restricting access to the firmware upload functionality to minimize the risk of exploitation.