CVE-2022-2788

Name of the Vulnerable Software and Affected Versions Proficy Machine Edition versions 9.80 and prior

Description The issue is related to a Path Traversal vulnerability, also known as a ZipSlip attack, which allows attackers to implant a malicious .BLZ file on the PLC through an upload procedure. This can lead to the execution of malicious code when the file is transferred from the engineering station to Windows. The vulnerability is due to incorrect restriction of a pathname to a directory with limited access, enabling a remote attacker to execute arbitrary code using a specially crafted .BLZ file.

Recommendations For Proficy Machine Edition versions 9.80 and prior, consider disabling the upload procedure that enables attackers to implant malicious .BLZ files until a patch is available. Restrict access to the engineering station to minimize the risk of exploitation. Avoid using the upload feature for .BLZ files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.