CVE-2022-2988

Name of the Vulnerable Software and Affected Versions SoMachine HVAC versions prior to V2.1.0 EcoStruxure Machine Expert – HVAC versions prior to V1.4.0

Description The issue is related to a lack of protection for service data, which could allow a remote attacker to disclose protected information by sending specific messages to the server through the database server's TCP port. It is also described as an out-of-bounds write vulnerability that could cause sensitive information leakage when accessing a malicious web page from the commissioning software.

Recommendations For SoMachine HVAC versions prior to V2.1.0, update to version V2.1.0 or later to resolve the issue. For EcoStruxure Machine Expert – HVAC versions prior to V1.4.0, update to version V1.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the commissioning software to minimize the risk of exploitation.