CVE-2022-30308
CRITICALFesto Controller CECC-X-M1 Firmware < 3.8.14 - Unauthenticated OS Command Injection via HTTP Endpoint
Title source: llmDescription
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://cert.vde.com/en/advisories/VDE-2022-020/
Scores
CVSS v3
9.8
EPSS
0.0267
EPSS Percentile
83.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
CWE-863
Status
published
Products (11)
festo/controller_cecc-x-m1-mv-s1_firmware
4.0.14
festo/controller_cecc-x-m1-mv-s1_firmware
< 3.8.14
festo/controller_cecc-x-m1-mv_firmware
4.0.14
festo/controller_cecc-x-m1-mv_firmware
< 3.8.14
festo/controller_cecc-x-m1-y-yjkp_firmware
< 3.8.14
festo/controller_cecc-x-m1-ys-l1_firmware
< 3.8.14
festo/controller_cecc-x-m1-ys-l2_firmware
< 3.8.14
festo/controller_cecc-x-m1_firmware
4.0.14
festo/controller_cecc-x-m1_firmware
< 3.8.14
festo/servo_press_kit_yjkp-_firmware
< 3.8.14
... and 1 more
Published
Jun 13, 2022
Tracked Since
Feb 18, 2026