CVE-2023-1552

Published: Apr 11, 2023

Modified: Feb 6, 2025

PUBLISHED

CVSS v3.1

2.9

LOW

Description

ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors. Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.

Vendor	Product	Versions
GE Gas Power	ToolboxST	affected `0 - < 7.10`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-1552

Description

Affected Products

CVSS v3.1 Details

References