CVE-2022-2758

MEDIUM

Ls-electric Xg5000 - Weak Encryption

Title source: rule

Description

Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC’s communication traffic.

References (1)

[Third Party Advisory, US Government Resource] https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-02

Scores

CVSS v3 6.5

EPSS 0.0012

EPSS Percentile 29.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-326

Status published

Products (50)

ls-electric/gm7_firmware

ls-electric/gm7u_firmware

ls-electric/k120s_firmware

ls-electric/k80s_firmware

ls-electric/xbc-dn10e_firmware

ls-electric/xbc-dn14e_firmware

ls-electric/xbc-dn20e_firmware

ls-electric/xbc-dn20su_firmware

ls-electric/xbc-dn30e_firmware

ls-electric/xbc-dn30su_firmware

... and 40 more

Published Aug 31, 2022

Tracked Since Feb 18, 2026