CVE-2022-23854

HIGH NUCLEI

AVEVA InTouch Access Anywhere <2020 R2 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-23854. PoCs published by Jens Regel. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a path traversal vulnerability in AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 and older versions. The PoC uses URL-encoded traversal sequences to access the `windows\win.ini` file, confirming the vulnerability.

Description

AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.

Exploits (1)

exploitdb WORKING POC

by Jens Regel · textremotehardware

https://www.exploit-db.com/exploits/51028

View Code ZIP pw:eip

This exploit demonstrates a path traversal vulnerability in AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 and older versions. The PoC uses URL-encoded traversal sequences to access the `windows\win.ini` file, confirming the vulnerability.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: AVEVA InTouch Access Anywhere Secure Gateway versions 2020 R2 and older

No auth needed

Prerequisites: Network access to the target system

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion

HIGHVERIFIEDby For3stCo1d

Shodan: http.html:"InTouch Access Anywhere" || http.html:"intouch access anywhere"

FOFA: body="intouch access anywhere"

References (3)

Core 3

Core References

Various Sources

https://crisec.de/advisory-aveva-intouch-access-anywhere-secure-gateway-path-traversal

Various Sources

https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2023-001_r.pdf

Third Party Advisory, US Government Resource government-resource

https://www.cisa.gov/uscert/ics/advisories/icsa-22-342-02

Scores

CVSS v3 7.5

EPSS 0.4596

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22 CWE-23

Status published

Products (2)

aveva/intouch_access_anywhere 2020 (2 CPE variants)

aveva/intouch_access_anywhere < 2020

Published Dec 23, 2022

Tracked Since Feb 18, 2026