PatchSiren cyber security CVE debrief

CVE-2022-30266 Emerson CVE debrief

CVE-2022-30266 is a medium-severity vulnerability affecting Emerson PACSystem industrial controllers and Fanuc VersaMax devices. The issue stems from client-side JavaScript implementing a simple hashing scheme for credential protection. An attacker positioned to intercept network traffic could capture these hashes, strip the hashing mechanism, and recover plaintext credentials. However, multiple constraints significantly limit exploitability: credentials expire after five minutes due to TLS protocol protections, physical presence is required to press a button on the device, and successful exploitation only permits firmware version upgrades or downgrades—not arbitrary code execution or operational control. The vulnerability does not affect older PLCs lacking network-based update capabilities. CISA published this advisory on June 6, 2024, though the CVE itself dates to 2022.

Vendor: Emerson
Product: PACSystem RXi
CVSS: MEDIUM 4
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-06-06
Original CVE updated: 2024-06-06
Advisory published: 2024-06-06
Advisory updated: 2024-06-06

Who should care

Industrial control system operators, OT security engineers, critical infrastructure asset owners, Emerson PACSystem administrators, and organizations with Fanuc VersaMax deployments should prioritize this vulnerability. The physical access requirement makes this most relevant to facilities with shared or insufficiently secured equipment spaces, or those with concerns about insider threats. Organizations subject to NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks should review this against their asset inventory and access control implementations.

Technical summary

The vulnerability exists in the authentication mechanism for firmware updates on Emerson PACSystem controllers. Client-side JavaScript performs credential hashing using a simple scheme that can be reversed by an attacker intercepting the hash values. The attack requires: (1) network position to intercept TLS-encrypted traffic containing authentication hashes, (2) physical presence at the device to initiate the update process via button press, and (3) exploitation within a five-minute credential validity window. Successful authentication grants only firmware modification privileges, not operational control of the PLC. The CVSS 3.1 score of 4.0 (Medium) reflects the physical attack vector and high complexity. Affected products include PACSystem RXi, RX3i, RSTi-EP, and Fanuc VersaMax controllers with network-based update capabilities.

Defensive priority

medium

Recommended defensive actions

Restrict physical access to Emerson PACSystem RXi, RX3i, RSTi-EP, and Fanuc VersaMax controllers per vendor secure deployment guidance
Disable IP routing on control networks to limit network exposure
Implement network segmentation to isolate industrial control systems from enterprise networks
Review and apply sections 2.4 (General Recommendations), 4.3 (Authentication), 5.2.1.1 (Disabling Ethernet Services), and 6.1 (Reference Architecture) from the PACSystems Secure Deployment Guide (GFK-2830Y)
Consider disabling unnecessary Ethernet services on affected controllers where firmware updates are not required
Ensure SRP6-a authentication is enabled where supported to strengthen credential protection
Conduct personnel security training and implement physical security perimeter controls for critical infrastructure
Monitor for anomalous firmware version changes on affected devices

Evidence notes

All technical details and mitigation guidance are derived from CISA CSAF advisory ICSA-24-158-01, published June 6, 2024. CVSS 3.1 vector confirms physical attack vector (AV:P) with high attack complexity (AC:H).

Official resources

public