GE ToolboxST <7.10 Deserialization RCE Vulnerability
CVE-2023-1552 Published on April 11, 2023

ToolboxST Deserialization of Untrusted Configuration Data
ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.  Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user. 

NVD

Vulnerability Analysis

CVE-2023-1552 is exploitable with local system access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Products Associated with CVE-2023-1552

Want to know whenever a new CVE is published for GE Toolboxst? stack.watch will email you.

GE Toolboxst
 

Affected Versions

GE Gas Power ToolboxST:

Exploit Probability

EPSS
0.05%
Percentile
14.81%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.