Emerson 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk input validation and vendor risk cross-site scripting などに関し、一部は vendor impact memory corruption を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2024-1156 | Incorrect directory permissions for the shared NI RabbitMQ service may allow a local authenticated user to read RabbitMQ configuration information and potentially enable escalation of privileges. | [email protected] | 7.8 | 0.14% | 2024-02-20 | 2025-02-12 |
| CVE-2024-1155 | Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access. | [email protected] | 7.8 | 0.11% | 2024-02-20 | 2025-02-12 |
| CVE-2023-51761 | In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities. | [email protected] | 8.3 | 0.04% | 2024-02-09 | 2025-06-10 |
| CVE-2023-49716 | In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer. | [email protected] | 6.9 | 0.08% | 2024-02-09 | 2024-11-21 |
| CVE-2023-46687 | In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer. | [email protected] | 9.8 | 0.27% | 2024-02-09 | 2024-11-21 |
| CVE-2023-43609 | In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition. | [email protected] | 6.9 | 0.16% | 2024-02-09 | 2025-06-10 |
| CVE-2023-1935 | ROC800-Series RTU devices are vulnerable to an authentication bypass, which could allow an attacker to gain unauthorized access to data or control of the device and cause a denial-of-service condition. | [email protected] | 9.4 | 0.02% | 2023-08-02 | 2024-11-21 |
| CVE-2022-30260 | Emerson DeltaV Distributed Control System (DCS) has insufficient verification of firmware integrity (an inadequate checksum approach, and no signature). This affects versions before 14.3 of DeltaV M-series, DeltaV S-series, DeltaV P-series, DeltaV SIS, and DeltaV CIOC/EIOC/WIOC IO cards. | [email protected] | 7.8 | 0.03% | 2022-12-26 | 2024-11-21 |
| CVE-2022-2791 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-434 Unrestricted Upload of File with Dangerous Type, and will upload any file written into the PLC logic folder to the connected PLC. | [email protected] | 5.9 | 0.05% | 2022-11-22 | 2024-11-21 |
| CVE-2022-2793 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol. | [email protected] | 5.9 | 0.02% | 2022-08-19 | 2024-11-21 |
| CVE-2022-2792 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists. | [email protected] | 6.6 | 0.10% | 2022-08-19 | 2024-11-21 |
| CVE-2022-2790 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-347 Improper Verification of Cryptographic Signature, and does not properly verify compiled logic (PDT files) and data blocks data (BLD/BLK files). | [email protected] | 5.9 | 0.03% | 2022-08-19 | 2024-11-21 |
| CVE-2022-2789 | Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-345 Insufficient Verification of Data Authenticity, and can display logic that is different than the compiled logic. | [email protected] | 4.7 | 0.04% | 2022-08-19 | 2024-11-21 |
| CVE-2022-2788 | Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code. | [email protected] | 3.9 | 0.14% | 2022-08-19 | 2024-11-21 |
| CVE-2022-30262 | The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mishandle firmware integrity. They utilize the BSAP-IP protocol to transmit firmware updates. Firmware updates are supplied as CAB archive files containing a binary firmware image. In all cases, firmware images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks. | [email protected] | 7.8 | 0.04% | 2022-08-17 | 2024-11-21 |
| CVE-2022-30264 | The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the flash filesystem and carrying out arbitrary file and directory read, write, and delete operations. | [email protected] | 9.8 | 0.10% | 2022-08-16 | 2024-11-21 |
| CVE-2022-29959 | Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism. | [email protected] | 5.5 | 0.11% | 2022-08-16 | 2024-11-21 |
| CVE-2022-29965 | The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. Access to privileged operations on the maintenance port TELNET interface (23/TCP) on M-series and SIS (CSLS/LSNB/LSNG) nodes is controlled by means of utility passwords. These passwords are generated using a deterministic, insecure algorithm using a single seed value composed of a day/hour/minute timestamp with less than 16 bits of entropy. The seed value is fed through a lookup tabl | [email protected] | 5.5 | 0.05% | 2022-07-26 | 2024-11-21 |
| CVE-2022-29964 | The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. WIOC SSH provides access to a shell as root, DeltaV, or backup via hardcoded credentials. NOTE: this is different from CVE-2014-2350. | [email protected] | 5.5 | 0.11% | 2022-07-26 | 2024-11-21 |
| CVE-2022-29963 | The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. TELNET on port 18550 provides access to a root shell via hardcoded credentials. This affects S-series, P-series, and CIOC/EIOC nodes. NOTE: this is different from CVE-2014-2350. | [email protected] | 5.5 | 0.11% | 2022-07-26 | 2024-11-21 |