CVE-2022-22987: Advantech ADAM-3600

Reference Links

• https://www.cisa.gov/uscert/ics/advisories/icsa-22-032-02
• https://www.cisa.gov/news-events/ics-advisories/icsa-22-032-02 (Advisory)

Parent vulnerabilities

(Appears in the following advisories)

• ICSA-22-032-02

Frequently Asked Questions

• What is CVE-2022-22987?

  CVE-2022-22987 is a vulnerability in the Advantech Adam-3600 Firmware, where a hardcoded private key is available inside the project folder.

• What is the severity of CVE-2022-22987?

  CVE-2022-22987 has a severity rating of 9.8 (critical).

• How does CVE-2022-22987 impact the affected product?

  CVE-2022-22987 may allow an attacker to achieve Web Server login and perform further actions.

• Which versions of the Advantech Adam-3600 Firmware are affected by CVE-2022-22987?

  Versions up to and inclusive of 2.6.2 of the Advantech Adam-3600 Firmware are affected by CVE-2022-22987.

• Is Advantech Adam-3600 vulnerable to CVE-2022-22987?

  No, the Advantech Adam-3600 device itself is not vulnerable to CVE-2022-22987.

• What can be done to mitigate the vulnerability in Advantech Adam-3600 Firmware?

  To mitigate the vulnerability, it is recommended to update the Advantech Adam-3600 Firmware to a version higher than 2.6.2.

• What is CWE-798?

  CWE-798 is a classification for incorrect default permissions, which may be relevant to the hardcoded private key vulnerability in Advantech Adam-3600 Firmware.

• What is CWE-321?

  CWE-321 is a classification for Use of Hard-coded Cryptographic Key, which is relevant to the hardcoded private key vulnerability in Advantech Adam-3600 Firmware.

• Where can I find more information about CVE-2022-22987?

  You can find more information about CVE-2022-22987 on the CISA website at https://www.cisa.gov/uscert/ics/advisories/icsa-22-032-02.