CVE-2022-26423 in TUG Home Base Server
Summary
by MITRE • 10/21/2022
Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability identified as CVE-2022-26423 affects Aethon TUG Home Base Server versions prior to 24, presenting a critical security flaw that allows unauthenticated attackers to access hashed user credentials without requiring any authentication. This represents a significant weakness in the authentication and authorization mechanisms of the system, as the server fails to properly protect sensitive credential data from unauthorized access. The flaw exists within the server's handling of user authentication data, where hashed credentials are exposed through improper access controls or insecure API endpoints. Such exposure creates a substantial risk for organizations relying on this system for autonomous underwater vehicle operations and related infrastructure management.
The technical nature of this vulnerability aligns with CWE-287, which addresses improper authentication issues in software systems, and specifically relates to CWE-522 which deals with insufficiently protected credentials. The flaw demonstrates a failure in the principle of least privilege, where sensitive data is accessible without proper authentication mechanisms. Attackers can exploit this vulnerability to obtain password hashes, which can then be subjected to offline cracking attacks or used in credential reuse attacks against other systems. The exposure of hashed credentials provides attackers with a foothold that could potentially lead to further system compromise, especially if weak hashing algorithms or insufficient computational complexity are employed in the hashing process.
From an operational impact perspective, this vulnerability creates significant risk for organizations deploying Aethon TUG systems in sensitive environments where unauthorized access to user credentials could enable attackers to gain control over autonomous underwater vehicles or related infrastructure. The unauthenticated access to hashed credentials directly violates security best practices and could result in unauthorized system manipulation, data theft, or operational disruption. The vulnerability affects the confidentiality and integrity of user authentication data, potentially enabling attackers to perform privilege escalation attacks or maintain persistent access to the system. Organizations using affected versions may experience security breaches that could compromise their autonomous underwater vehicle operations, particularly in critical infrastructure applications such as offshore energy, maritime surveillance, or scientific research operations.
The recommended mitigations for CVE-2022-26423 include immediate upgrade to Aethon TUG Home Base Server version 24 or later, which should contain the necessary security patches to address the unauthenticated access issue. Organizations should also implement network segmentation to limit access to the affected server, enforce strong access controls, and conduct thorough security assessments of their autonomous underwater vehicle infrastructure. Additionally, security teams should monitor for indicators of compromise related to credential exposure and consider implementing multi-factor authentication mechanisms where possible. The vulnerability demonstrates the importance of proper authentication design and access control implementation, as outlined in the MITRE ATT&CK framework under the credential access and privilege escalation techniques. Organizations should also review their overall security posture and ensure that similar vulnerabilities are not present in other systems within their operational environment.