CVE-2022-2758
MEDIUMLS Electric XG5000 < V4.0 and XGK/XGI/XGR/XGB PLCs - Inadequate Encryption Strength
Title source: llmDescription
Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC’s communication traffic.
References (1)
Core 1
Core References
Third Party Advisory, US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-02
Scores
CVSS v3
6.5
EPSS
0.0031
EPSS Percentile
22.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-326
Status
published
Products (50)
ls-electric/gm7_firmware
ls-electric/gm7u_firmware
ls-electric/k120s_firmware
ls-electric/k80s_firmware
ls-electric/xbc-dn10e_firmware
ls-electric/xbc-dn14e_firmware
ls-electric/xbc-dn20e_firmware
ls-electric/xbc-dn20su_firmware
ls-electric/xbc-dn30e_firmware
ls-electric/xbc-dn30su_firmware
... and 40 more
Published
Aug 31, 2022
Tracked Since
Feb 18, 2026