VDE-2022-023 | CERT@VDE

2022-10-17 10:00 (CEST) VDE-2022-023

TRUMPF TruTops prone to improper access control

Share: Email | Twitter

ID

VDE-2022-023

Published

2022-10-17 10:00 (CEST)

Last update

2022-10-14 12:22 (CEST)

Vendor(s)

TRUMPF Werkzeugmaschinen SE + Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	Job Order Interface	= All Versions
	Oseon	<= 1.6
	TruTops Boost with option Graphic separation of cut parts	= All Versions
	TruTops Boost with option Inventory of sheets and remainder sheets	= All Versions
	TruTops Fab	= All Versions
-	TruTops Monitor	= All Versions

Summary

During the installation of specific TRUMPF Windows applications, privileged local users with default usernames and passwords are created. An adversary could use these users to access and compromise the affected Windows systems and, under certain circumstances, other network resources.

CVE ID

CVE-2022-2052

Last Update:

Aug. 30, 2024, 9:28 a.m.

Severity

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness

Improper Access Control (CWE-284)

Summary

Multiple Trumpf Products in multiple versions use default privileged Windows users and passwords. An adversary may use these accounts to remotely gain full access to the system.

Details

nvd.nist.gov

Impact

Privileged local users with default usernames and passwords can be used to access and compromise affected Windows PCs and possibly other network resources.

Solution

Solution

Please contact your TRUMPF Service with the PR number 496330.

Reported by

CERT@VDE coordinated with TRUMPF