Discover the impact of CVE-2022-21935 on Metasys ADS/ADX/OAS servers. Learn about the high-risk vulnerability, affected versions, and necessary mitigation steps.
A deep dive into CVE-2022-21935, a vulnerability affecting Johnson Controls' Metasys ADS/ADX/OAS servers.
Understanding CVE-2022-21935
This CVE describes a security flaw in the Metasys ADS/ADX/OAS servers that allows for unverified password changes.
What is CVE-2022-21935?
CVE-2022-21935 impacts Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and 11 versions prior to 11.0.2, exposing a high-risk vulnerability.
The Impact of CVE-2022-21935
The vulnerability poses a significant risk with a CVSS base score of 7.5, affecting confidentiality, integrity, and availability.
Technical Details of CVE-2022-21935
An overview of the vulnerability specifics.
Vulnerability Description
The flaw allows unauthorized users to change passwords without verification, potentially leading to unauthorized access.
Affected Systems and Versions
Metasys ADS/ADX/OAS server versions 10.1.5 and below, as well as versions 11.0.2 and below, are vulnerable to this exploit.
Exploitation Mechanism
An attacker in the adjacent network can exploit the vulnerability without requiring any user interaction.
Mitigation and Prevention
Steps to address and prevent the CVE-2022-21935 vulnerability.
Immediate Steps to Take
Users are advised to update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.5 and 11 versions with patch 11.0.2 to mitigate the risk.
Long-Term Security Practices
Implement robust password policies, access controls, and network segmentation to enhance overall security posture.
Patching and Updates
Regularly apply security patches and updates to ensure systems are protected against emerging threats.