Get in Touch
Vulnerability discovered in Micro-Controller Operating System
Indiscriminate, opportunistic targeting.
A security vulnerability has been disclosed pertaining to the FTP server of the Micro-Controller Operating System (µC/OS). The flaw, tracked as CVE-2022-41985(CVSSv3 Score: 8.6 – High) relates to an authentication-bypass issue that can also lead to a denial-of-service (DoS) within affected products.
Successful exploitation of CVE-2022-41985 could allow a threat actor to bypass the authentication protocol on µC/OS or cause a DoS condition. As such, a threat actor could bypass the security mechanism of the vulnerable products, resulting in the compromise of the confidentiality and integrity of data.
– Weston Embedded uC-FTPs 1.98.00
Containment, Mitigations & Remediations
It is strongly recommended that users apply the affected product to the latest version.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
The Micro-Controller Operating System occupies a reasonable portion of the operating system market share and is used commonly within the following industry sectors:
Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, it is possible that µC/OS products could emerge as prime targets. Due to the fact that the associated products are an integral aspect of business operations within the sectors mentioned above, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.
No attribution to specific threat actors or groups has been identified at the time of writing.
Common Weakness Enumeration:
CWE-303 – Incorrect Implementation of Authentication Algorithm