CVE-2022-45092

Name of the Vulnerable Software and Affected Versions SINEC INS versions prior to V1.0 SP2 Update 1

Description A vulnerability has been identified that allows an authenticated remote attacker with access to the Web Based Management (443/tcp) to potentially read and write arbitrary files from and to the device's file system. This could be leveraged to trigger remote code execution on the affected component. The issue arises due to incorrect restriction of the path name to a directory with limited access, which may allow a remote attacker to execute arbitrary code by uploading arbitrary files to the device's file system.

Recommendations For versions prior to V1.0 SP2 Update 1, update to V1.0 SP2 Update 1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Based Management interface on port 443/tcp to minimize the risk of exploitation. Additionally, restrict file system access to prevent arbitrary file reads and writes until a patch is applied.