CVE-2022-43975 in MS3000info

Summary

by MITRE • 01/18/2023

An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. A vulnerability in the web server allows arbitrary files and configurations to be read via directory traversal over TCP port 8888.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/08/2025

The vulnerability identified as CVE-2022-43975 affects the FC46-WebBridge component within GE Grid Solutions MS3000 devices, representing a critical directory traversal flaw that exposes sensitive system information. This issue exists in firmware versions prior to 3.7.6.25p0_3.2.2.17p0_4.7p0, making a significant portion of deployed industrial control systems susceptible to unauthorized access. The vulnerability specifically manifests through the web server interface operating on TCP port 8888, which serves as the primary communication channel for remote management and configuration of these grid solutions devices. The flaw enables attackers to manipulate file path references and access arbitrary files on the device filesystem through crafted HTTP requests, potentially compromising the integrity and confidentiality of the industrial control environment.

This directory traversal vulnerability stems from inadequate input validation within the web server implementation, allowing malicious actors to exploit path traversal sequences such as ../ or ..\ to navigate beyond the intended directory boundaries. The attack vector operates through standard web protocols and requires no authentication for initial exploitation, as the vulnerability exists in the unauthenticated web interface. The affected web bridge component provides access to configuration files, system logs, and potentially sensitive operational data that could reveal critical infrastructure details. According to CWE classification, this vulnerability maps to CWE-22: Improper Limitation of a Pathname to a Restricted Directory, which is a well-documented weakness in web application security that directly enables unauthorized file access. The severity of this flaw is compounded by the fact that it affects industrial control systems where the exposed information could enable attackers to understand system architecture and potentially plan more sophisticated attacks against the broader grid infrastructure.

The operational impact of CVE-2022-43975 extends beyond simple information disclosure, as the exposed configuration files may contain credentials, system parameters, and operational settings that could be leveraged for further compromise. Attackers could potentially access system logs that reveal operational patterns, network configurations, and device status information that would be valuable for planning targeted attacks against the industrial control environment. The vulnerability's presence on TCP port 8888, which is commonly used for remote management interfaces, makes it particularly dangerous as it aligns with standard industrial network management practices. This exposure creates opportunities for attackers to gather intelligence about device firmware versions, network topology, and operational procedures that could be used to conduct advanced persistent threats or facilitate lateral movement within the industrial network infrastructure. The vulnerability directly relates to ATT&CK technique T1213.002: Data from Information Repositories, where adversaries harvest system information from exposed web interfaces to build comprehensive profiles of target environments.

Mitigation strategies for this vulnerability require immediate firmware updates to versions 3.7.6.25p0_3.2.2.17p0_4.7p0 or later, which contain patches addressing the directory traversal flaw in the web server implementation. Network segmentation should be implemented to restrict access to TCP port 8888, ensuring that only authorized administrative systems can reach the web interface. Access controls must be strengthened through the implementation of robust authentication mechanisms and role-based access controls to limit who can interact with the web bridge functionality. Additionally, network monitoring should be enhanced to detect unusual patterns of access to the web interface, particularly requests that attempt directory traversal sequences. Organizations should conduct comprehensive vulnerability assessments to identify all instances of affected MS3000 devices within their industrial control networks and prioritize remediation efforts based on risk exposure. The implementation of network access controls and firewall rules to restrict external access to the vulnerable port represents a critical defensive measure that can significantly reduce the attack surface while awaiting full firmware upgrades. Regular security assessments and penetration testing should be conducted to verify that the implemented controls effectively prevent exploitation of similar vulnerabilities in the industrial control environment.

Reservation

10/28/2022

Disclosure

01/18/2023

Moderation

accepted

CPE

ready

EPSS

0.00916

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!