CVE-2023-39463

{"id": "CVE-2023-39463", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-05-03T03:15:11.703", "references": [{"url": "https://www.trianglemicroworks.com/products/scada-data-gateway/what's-new", "tags": ["Release Notes"], "source": "zdi-disclosures@trendmicro.com"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1031/", "tags": ["Third Party Advisory"], "source": "zdi-disclosures@trendmicro.com"}, {"url": "https://www.trianglemicroworks.com/products/scada-data-gateway/what's-new", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1031/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Triangle MicroWorks SCADA Data Gateway Trusted Certification Unrestricted Upload of File Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Triangle MicroWorks SCADA Data Gateway. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the trusted certification feature. The issue lies in the handling of the OpcUaSecurityCertificateAuthorityTrustDir variable, which allows an arbitrary file write with attacker-controlled data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20537."}, {"lang": "es", "value": "Certificaci\u00f3n confiable de Triangle MicroWorks SCADA Data Gateway Carga sin restricciones de archivos Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en las instalaciones afectadas de Triangle MicroWorks SCADA Data Gateway. Aunque se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad, se puede omitir el mecanismo de autenticaci\u00f3n existente. La falla espec\u00edfica existe dentro de la funci\u00f3n de certificaci\u00f3n confiable. El problema radica en el manejo de la variable OpcUaSecurityCertificateAuthorityTrustDir, que permite la escritura arbitraria de archivos con datos controlados por el atacante. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto de SYSTEM. Era ZDI-CAN-20537."}], "lastModified": "2025-06-17T21:03:30.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:trianglemicroworks:scada_data_gateway:5.1.3.20324:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3AC0B76-A64D-4650-AFF9-4B9AE5A8C4C3"}], "operator": "OR"}]}], "sourceIdentifier": "zdi-disclosures@trendmicro.com"}