{"containers": {"cna": {"affected": [{"product": "PLC4TRUCKS", "vendor": "Power Line Communications", "versions": [{"status": "affected", "version": "J2497 "}]}], "credits": [{"lang": "en", "value": "National Motor Freight Traffic Association, Inc. (NMFTA) researcher Ben Gardiner, NMFTA motor freight carrier members, and Assured Information Security researchers Chris Poore, Dan Salloum, and Eric Thayer reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "value": "Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. There is no authentication or authorization for these functions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-07T15:28:22.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01"}], "source": {"discovery": "UNKNOWN"}, "title": "ICSA-22-063-01 Missing Authentication for Critical Function in Trailer Power Line Communications (PLC) J2497", "workarounds": [{"lang": "en", "value": "The vulnerable technology, J2497, has been fielded since 2001 and the service lifetime of trailers is 15 to 30 years. For new equipment, the industry should consider dropping all J2497 features except for backwards-compatibility with LAMP ON detection only. For trailer equipment this means migrating all diagnostics to whatever newer trailer buses are established as the norm. For tractor equipment this means removing support for reception of any J2497 message other than LAMP messages and protecting the backwards-compatible trailers from attack. \n\nNMFTA has published detailed information about how to mitigate these issues in the following ways:\nInstall a LAMP ON firewall for each ECU\nUse a LAMP detect circuit LAMP ON sender with each trailer\nChange addresses dynamically on each tractor in response to detecting a transmitter on its current address. \nInstall RF chokes on each trailer between chassis ground and wiring ground\nLoad with LAMP keyhole signal on each tractor\nFlood with jamming signal on each tractor\nPlease see the publication from the NMFTA for additional details on these and other solutions."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-25922", "STATE": "PUBLIC", "TITLE": "ICSA-22-063-01 Missing Authentication for Critical Function in Trailer Power Line Communications (PLC) J2497"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PLC4TRUCKS", "version": {"version_data": [{"version_affected": "=", "version_value": "J2497 "}]}}]}, "vendor_name": "Power Line Communications"}]}}, "credit": [{"lang": "eng", "value": "National Motor Freight Traffic Association, Inc. (NMFTA) researcher Ben Gardiner, NMFTA motor freight carrier members, and Assured Information Security researchers Chris Poore, Dan Salloum, and Eric Thayer reported this vulnerability to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. There is no authentication or authorization for these functions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "The vulnerable technology, J2497, has been fielded since 2001 and the service lifetime of trailers is 15 to 30 years. For new equipment, the industry should consider dropping all J2497 features except for backwards-compatibility with LAMP ON detection only. For trailer equipment this means migrating all diagnostics to whatever newer trailer buses are established as the norm. For tractor equipment this means removing support for reception of any J2497 message other than LAMP messages and protecting the backwards-compatible trailers from attack. \n\nNMFTA has published detailed information about how to mitigate these issues in the following ways:\nInstall a LAMP ON firewall for each ECU\nUse a LAMP detect circuit LAMP ON sender with each trailer\nChange addresses dynamically on each tractor in response to detecting a transmitter on its current address. \nInstall RF chokes on each trailer between chassis ground and wiring ground\nLoad with LAMP keyhole signal on each tractor\nFlood with jamming signal on each tractor\nPlease see the publication from the NMFTA for additional details on these and other solutions."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:44.366Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:56:06.000143Z", "id": "CVE-2022-25922", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:43:59.855Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-25922", "datePublished": "2022-03-07T15:28:22.000Z", "dateReserved": "2022-03-01T00:00:00.000Z", "dateUpdated": "2025-04-16T16:43:59.855Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:44.366Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-25922", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-16T15:56:06.000143Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:56:09.012Z"}}], "cna": {"title": "ICSA-22-063-01 Missing Authentication for Critical Function in Trailer Power Line Communications (PLC) J2497", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "National Motor Freight Traffic Association, Inc. (NMFTA) researcher Ben Gardiner, NMFTA motor freight carrier members, and Assured Information Security researchers Chris Poore, Dan Salloum, and Eric Thayer reported this vulnerability to CISA."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Power Line Communications", "product": "PLC4TRUCKS", "versions": [{"status": "affected", "version": "J2497 "}]}], "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01", "tags": ["x_refsource_CONFIRM"]}], "workarounds": [{"lang": "en", "value": "The vulnerable technology, J2497, has been fielded since 2001 and the service lifetime of trailers is 15 to 30 years. For new equipment, the industry should consider dropping all J2497 features except for backwards-compatibility with LAMP ON detection only. For trailer equipment this means migrating all diagnostics to whatever newer trailer buses are established as the norm. For tractor equipment this means removing support for reception of any J2497 message other than LAMP messages and protecting the backwards-compatible trailers from attack. \n\nNMFTA has published detailed information about how to mitigate these issues in the following ways:\nInstall a LAMP ON firewall for each ECU\nUse a LAMP detect circuit LAMP ON sender with each trailer\nChange addresses dynamically on each tractor in response to detecting a transmitter on its current address. \nInstall RF chokes on each trailer between chassis ground and wiring ground\nLoad with LAMP keyhole signal on each tractor\nFlood with jamming signal on each tractor\nPlease see the publication from the NMFTA for additional details on these and other solutions."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. There is no authentication or authorization for these functions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-03-07T15:28:22.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "National Motor Freight Traffic Association, Inc. (NMFTA) researcher Ben Gardiner, NMFTA motor freight carrier members, and Assured Information Security researchers Chris Poore, Dan Salloum, and Eric Thayer reported this vulnerability to CISA."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "J2497 ", "version_affected": "="}]}, "product_name": "PLC4TRUCKS"}]}, "vendor_name": "Power Line Communications"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. There is no authentication or authorization for these functions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306"}]}]}, "work_around": [{"lang": "en", "value": "The vulnerable technology, J2497, has been fielded since 2001 and the service lifetime of trailers is 15 to 30 years. For new equipment, the industry should consider dropping all J2497 features except for backwards-compatibility with LAMP ON detection only. For trailer equipment this means migrating all diagnostics to whatever newer trailer buses are established as the norm. For tractor equipment this means removing support for reception of any J2497 message other than LAMP messages and protecting the backwards-compatible trailers from attack. \n\nNMFTA has published detailed information about how to mitigate these issues in the following ways:\nInstall a LAMP ON firewall for each ECU\nUse a LAMP detect circuit LAMP ON sender with each trailer\nChange addresses dynamically on each tractor in response to detecting a transmitter on its current address. \nInstall RF chokes on each trailer between chassis ground and wiring ground\nLoad with LAMP keyhole signal on each tractor\nFlood with jamming signal on each tractor\nPlease see the publication from the NMFTA for additional details on these and other solutions."}], "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-25922", "STATE": "PUBLIC", "TITLE": "ICSA-22-063-01 Missing Authentication for Critical Function in Trailer Power Line Communications (PLC) J2497", "ASSIGNER": "ics-cert@hq.dhs.gov"}}}}, "cveMetadata": {"cveId": "CVE-2022-25922", "state": "PUBLISHED", "dateUpdated": "2025-04-16T16:43:59.855Z", "dateReserved": "2022-03-01T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-03-07T15:28:22.000Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hegemonelectronics:plc4trucks_firmware:j2497:*:*:*:*:*:*:*", "matchCriteriaId": "774D3BA3-3A55-4B22-AA73-1D00E77459C0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hegemonelectronics:plc4trucks:-:*:*:*:*:*:*:*", "matchCriteriaId": "E2D5DA42-3968-479B-821F-539E853F5178", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Power Line Communications PLC4TRUCKS J2497 trailer brake controllers implement diagnostic functions which can be invoked by replaying J2497 messages. There is no authentication or authorization for these functions."}, {"lang": "es", "value": "Los controladores de freno de remolque PLC4TRUCKS J2497 de Power Line Communications implementan funciones de diagn\u00f3stico que pueden ser invocadas mediante la reproducci\u00f3n de mensajes J2497. No se presenta autenticaci\u00f3n ni autorizaci\u00f3n para estas funciones"}], "id": "CVE-2022-25922", "lastModified": "2024-11-21T06:53:13.103", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-10T17:47:27.927", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-063-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}