CVE-2022-40282
HIGHHirschmann BAT-C2 < 09.13.00r04 - Authenticated Command Injection via FsCreateDir dir Parameter
Title source: llmDescription
The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function is not sufficiently sanitized. The vendor's ID is BSECV-2022-21.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/170063/Hirschmann-Belden-BAT-C2-8.8.1.0R8-Command-Injection.html
Exploit, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Nov/19
Scores
CVSS v3
8.8
EPSS
0.0397
EPSS Percentile
89.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (1)
belden/hirschmann_bat-c2_firmware
< 09.13.00r04
Published
Nov 25, 2022
Tracked Since
Feb 18, 2026