All CISA Advisories, EN

Open Automation Software

2024-12-04 12:12

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Open Automation Software
Equipment: Open Automation Software
Vulnerability: Incorrect Execution-Assigned Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker executing code with escalated privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Open Automation Software, an HMI, SCADA, and IoT solution, are affected:

Open Automation Software: prior to V20.00.0076

3.2 Vulnerability Overview

3.2.1 INCORRECT EXECUTION-ASSIGNED PERMISSIONS CWE-279

A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an rdlx file on the server system itself. Any code within the rdlx file of the report executes with SYSTEM privileges, resulting in privilege escalation.

CVE-2024-11220 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11220. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMP

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article:

Open Automation Software

Tags: All CISA Advisories EN

Post navigation

← Fuji Electric Monitouch V-SFT

Fuji Electric Tellus Lite V-Simulator →

Search for:
Pages

Advertising

Contact

Legal and Contact information

Opt-out preferences

Privacy Policy

Social Media

Apps

Telegram Channel

Recent Posts

Threat Actors Use GenAI to Launch Phishing Attacks Mimicking Government Websites August 6, 2025

An explanation of quantum cryptography August 6, 2025

Verizon will give you a free Samsung flip phone right now – how to qualify for the deal August 6, 2025

5 Linux distros I recommend to help businesses cut costs and boost security August 6, 2025

How to check for bad blocks on a Linux PC hard drive (and why you shouldn’t wait to do it) August 6, 2025

I love the Samsung Z Fold 7, but these Google Pixel 10 Pro Fold features can win me over August 6, 2025

5 Chromecast TV features you’re not taking advantage of (including this smart home trick) August 6, 2025

WhatsApp Takes Down 6.8 Million Accounts Linked to Criminal Scam Centers, Meta Says August 6, 2025

UK’S Online Safety Act Faces Criticism, Doesn’t Make Children Safer Online August 6, 2025

SafePay Ransomware Threaten Public Disclosure of 3.5 TB Worth of Ingram Micro Files August 6, 2025

7AI enables end-to-end autonomous security operations August 6, 2025

US Authorities Extradite Nigerian Man Accused of Hacking and Fraud August 6, 2025

Sophisticated DevilsTongue Spyware Tracks Windows Users Worldwide August 6, 2025

5 command line backup tools every Linux user should use for desktops and servers August 6, 2025

Citizen Lab director warns cyber industry about US authoritarian descent August 6, 2025

Every Reason Why I Hate AI and You Should Too August 6, 2025

Effortless Cloud Security: A Beginner’s Checklist for a Safer Cloud Environment August 6, 2025

Trend Micro Patches Apex One Vulnerabilities Exploited in Wild August 6, 2025

Sysdig Previews Set of AI Agents for Cloud Security Platform August 6, 2025

Sharp Increase in Ransomware Incidents Hits Energy Sector August 6, 2025

Copyright © 2025 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com.

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}