CVE-2024-2882 - Vulnerability Details - OpenCVE

Description

SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

Published: 2024-06-27

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SDG Technologies

PnPSCADA

unaffected

Version	Status	Constraints
`0`	affected	< 4

No data.

No data.

No data available yet.

Remediation

Vendor Solution

SDG Technologies recommends that users use the updated PnPSCADA 4. For more information about PnPSCADA 4 contact SDG Technologies https://wiki.pnpscada.com/farticle.jsp .

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-27826	SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0057.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02

History

No history.

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-06-27T18:55:42.276Z

Updated: 2024-08-01T19:25:42.123Z

Reserved: 2024-03-25T22:24:09.229Z

Link: CVE-2024-2882

Vulnrichment

Updated: 2024-08-01T19:25:42.123Z

NVD

Status : Deferred

Published: 2024-06-27T19:15:13.667

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-2882

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-862

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2882", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-03-25T22:24:09.229Z", "datePublished": "2024-06-27T18:55:42.276Z", "dateUpdated": "2024-08-01T19:25:42.123Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PnPSCADA", "vendor": "SDG Technologies", "versions": [{"lessThan": "4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.</span>"}], "value": "SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-06-27T18:55:42.276Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SDG Technologies recommends that users use the updated PnPSCADA 4.</p><p>For more information about PnPSCADA 4 contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://wiki.pnpscada.com/farticle.jsp?article=126\">SDG Technologies</a>.</p>"}], "value": "SDG Technologies recommends that users use the updated PnPSCADA 4.\n\nFor more information about PnPSCADA 4 contact SDG Technologies https://wiki.pnpscada.com/farticle.jsp ."}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Authorization in SDG Technologies PnPSCADA", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "sdg", "product": "pnpscada", "cpes": ["cpe:2.3:a:sdg:pnpscada:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-02T19:29:24.380105Z", "id": "CVE-2024-2882", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T19:38:03.421Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:42.123Z"}, "title": "CVE Program Container", "references": [{"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02", "tags": ["government-resource", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:42.123Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2882", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-02T19:29:24.380105Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sdg:pnpscada:*:*:*:*:*:*:*:*"], "vendor": "sdg", "product": "pnpscada", "versions": [{"status": "affected", "version": "0", "lessThan": "4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T19:36:56.277Z"}}], "cna": {"title": "Missing Authorization in SDG Technologies PnPSCADA", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SDG Technologies", "product": "PnPSCADA", "versions": [{"status": "affected", "version": "0", "lessThan": "4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "SDG Technologies recommends that users use the updated PnPSCADA 4.\n\nFor more information about PnPSCADA 4 contact SDG Technologies https://wiki.pnpscada.com/farticle.jsp .", "supportingMedia": [{"type": "text/html", "value": "<p>SDG Technologies recommends that users use the updated PnPSCADA 4.</p><p>For more information about PnPSCADA 4 contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://wiki.pnpscada.com/farticle.jsp?article=126\">SDG Technologies</a>.</p>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-06-27T18:55:42.276Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2882", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:25:42.123Z", "dateReserved": "2024-03-25T22:24:09.229Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-06-27T18:55:42.276Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system."}, {"lang": "es", "value": "SDG Technologies PnPSCADA permite a un atacante remoto adjuntar varias entidades sin requerir autenticaci\u00f3n del sistema. Esta infracci\u00f3n podr\u00eda conducir potencialmente a un control no autorizado, manipulaci\u00f3n de datos y acceso a informaci\u00f3n confidencial dentro del sistema SCADA."}], "id": "CVE-2024-2882", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-06-27T19:15:13.667", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}