Frauscher: FDS102 for FAdC/FAdCi remote code execution vulnerability

VDE-2023-049

Last update

12/11/2023 08:00

Published at

12/11/2023 08:00

Vendor(s)

Frauscher Sensortechnik GmbH

External ID

VDE-2023-049

CSAF Document

Download

Summary

Frauscher Sensortechnik GmbH FDS102 for FAdC/FAdCi v2.10.1 is vulnerable to a remote code execution (RCE) vulnerability via manipulated parameters of the web interface by using an authenticated session cookie.

Impact

This vulnerability may lead to a full compromise of the FDS102 device.

Affected Product(s)

Model no.	Product name	Affected versions
	FDS102 for FAdC/FAdCi	Firmware 2.10.0<=2.10.1

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:58

Severity

8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Summary

This vulnerability allows an remote attacker with low privileges to misuse Improper Control of Generation of Code ('Code Injection') to gain full control of the affected device.

References

cve.org | nvd.nist.gov

Mitigation

Security-related application conditions SecRAC

The railway operator must ensure that only authorised personnel or people in the company of authorised personnel have access to the Frauscher Diagnostic System FDS102.

The recommendation is to connect the Frauscher Diagnostic System FDS102 to a network of category 2. If the Frauscher Diagnostic System FDS102 is connected to a network of category 3 (according to EN 50159:2010), then additional protective measures must be added.

Remediation

Update to FDS102 v2.10.2

Revision History

Version	Date	Summary
1	12/11/2023 08:00	Initial revision.

Frauscher: FDS102 for FAdC/FAdCi remote code execution vulnerability

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2023-5500 8.8

Mitigation

Remediation

Revision History