Security News > 2022 > May > OAS platform vulnerable to critical RCE and API access flaws
The OAS platform is a widely used data connectivity solution that unites industrial devices, SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.
According to a report by Cisco Talos, OAS platform version 16.00.0112 and below is vulnerable to a range of high and critical severity bugs that create the potential for damaging attacks.
Starting with the most critical of the bunch, CVE-2022-26833 has a CVSS severity rating of 9.4 out of 10 and concerns the unauthenticated access and use of the REST API functionality in OAS. An attacker could trigger the exploitation of this flaw by sending a series of specially crafted HTTP requests to the vulnerable endpoints.
As Cisco explains, the REST API is designed to give programmatic access for configuration changes and data viewing to the "Default" user, which Talos researchers were able to authenticate by sending a request with a blank username and password.
The second critical flaw is CVE-2022-26082, rated at 9.1, which is a file write vulnerability in the OAS Engine SecureTransferFiles module.
Otherwise, upgrading to a more recent version of the OAS platform would be advisable.
News URL
Related news
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-25 | CVE-2022-26833 | Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112 An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. | 9.4 |
| 2022-05-25 | CVE-2022-26082 | Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112 A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. | 9.8 |