CVE-2022-28223

Published: Mar 30, 2022Modified: Jun 17, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin.

Affected (8)

Products: Tekon: Kio Firmware, Kio 1m Firmware, Kio 2mrs Firmware, Kio 2m Firmware, Kio 2ms Firmware, Kio 2md Firmware, Kio 8(4) Firmware, Kio 8(4)l Firmware

8 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Tekon Kio Firmware	Up to 2022-03-30

Running on/with	Platform Versions
Tekon Kio	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Tekon Kio 1m Firmware	Up to 2022-03-30

Running on/with	Platform Versions
Tekon Kio 1m	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Tekon Kio 2mrs Firmware	Up to 2022-03-30

Running on/with	Platform Versions
Tekon Kio 2mrs	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Tekon Kio 2m Firmware	Up to 2022-03-30

Running on/with	Platform Versions
Tekon Kio 2m	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Tekon Kio 2ms Firmware	Up to 2022-03-30

Running on/with	Platform Versions
Tekon Kio 2ms	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Tekon Kio 2md Firmware	Up to 2022-03-30

Running on/with	Platform Versions
Tekon Kio 2md	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Tekon Kio 8(4) Firmware	Up to 2022-03-30

Running on/with	Platform Versions
Tekon Kio 8(4)	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Tekon Kio 8(4)l Firmware	Up to 2022-03-30

Running on/with	Platform Versions
Tekon Kio 8(4)l	All versions

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://medium.com/%40bertinjoseb/post-auth-rce-based-in-malicious-lua-plugin-script-upload-scada-controllers-located-in-russia-57044425ac38

Source: cve@mitre.org

https://medium.com/%40bertinjoseb/post-auth-rce-based-in-malicious-lua-plugin-script-upload-scada-controllers-located-in-russia-57044425ac38

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.