Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-22: 'Path Traversal' may allow RCE
The CWE-22 (path traversal) vulnerability consists of insufficient validation of file paths transmitted over the network, allowing an attacker to escape the application's permitted directory. By sending an appropriately crafted request containing sequences such as '../', the attacker can access any files on the system or place a malicious file in a critical location. As a result, remote code execution on the target device is possible.
An attacker can gain full control over the device without authentication, obtaining access to sensitive data, modifying system configuration, and executing arbitrary code (RCE), which in an industrial environment can lead to disruption or sabotage of control processes.
Update Unitronics Unistream Unilogic software to version 1.35.227 or newer. Detailed information is available in the manufacturer's references and in the guide published by Claroty Team82.
Unitronics Unistream Unilogic in versions earlier than 1.35.227
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUnitronics Unilogic
APPUnitronics< 1.35.227
Related vulnerabilities
Pominięcie uwierzytelnienia w Unitronics Unilogic (Authentication Bypass)
Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-200: Exposure of Sensitive Information to ...
Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-23: Relative Path Traversal
Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-22: 'Path Traversal' may allow RCE
Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-78: 'OS Command Injection' may allow RCE