CVE-2022-31483: Arbitrary File Access in HID Mercury Controllers
Platform
linux
Component
hid-mercury-intelligent-controllers
Fixed in
1.271
1.271
1.271
1.271
1.271
1.271
1.271
1.271
1.271
1.271
1.271
1.271
1.271
1.271
CVE-2022-31483 describes an Arbitrary File Access vulnerability present in HID Mercury Intelligent Controllers running firmware versions prior to 1.271. This vulnerability allows an authenticated attacker to upload files with manipulated filenames, enabling them to overwrite sensitive system files. Successful exploitation can lead to root access on the underlying Linux operating system, posing a significant security risk.
Impact and Attack Scenarios
The impact of CVE-2022-31483 is severe. An attacker exploiting this vulnerability can upload arbitrary files to any location on the controller's filesystem. This allows for the overwriting of critical system files, potentially leading to a complete compromise of the device. The attacker could install a startup service to maintain persistent remote access with root privileges, effectively establishing a backdoor. This could be leveraged for data exfiltration, denial of service, or further attacks against connected systems. The ability to gain root access represents a significant escalation of privileges and a substantial blast radius.
Exploitation Context
CVE-2022-31483 was publicly disclosed on June 6, 2022. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests that development is likely. The ability to achieve root access with relative ease increases the likelihood of exploitation.
Threat Intelligence
Exploit Status
EPSS
0.62% (70% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2022-31483 is to upgrade the HID Mercury Intelligent Controllers firmware to version 1.271 or later. If an immediate upgrade is not possible due to compatibility concerns or system downtime requirements, consider implementing stricter file upload validation on the web interface to prevent the injection of malicious filenames containing “..” and “/”. While not a complete solution, this can reduce the attack surface. Monitor system logs for unusual file creation or modification activity, particularly in sensitive system directories. After upgrading the firmware, verify the fix by attempting a file upload with a filename containing “..” and “/” – the upload should be rejected.
How to fix
Update the firmware of the HID Mercury Intelligent Controllers to version 1.271 or later. This corrects the vulnerability that allows arbitrary file writing and potential remote access with root privileges.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2022-31483 — Arbitrary File Access in HID Mercury Controllers?
CVE-2022-31483 is a critical vulnerability allowing authenticated attackers to upload files to any location on HID Mercury Intelligent Controllers, potentially leading to root access and system compromise.
Am I affected by CVE-2022-31483 in HID Mercury Controllers?
You are affected if you are using HID Mercury Intelligent Controllers with firmware versions equal to or less than 1.271. Check your firmware version and upgrade immediately if necessary.
How do I fix CVE-2022-31483 in HID Mercury Controllers?
The recommended fix is to upgrade the firmware to version 1.271 or later. Implement stricter file upload validation as a temporary workaround if an upgrade is not immediately possible.
Is CVE-2022-31483 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest it is a potential target.
Where can I find the official HID advisory for CVE-2022-31483?
Refer to the HID advisory for detailed information and updates: https://www.hidglobal.com/security-advisory/hid-mercury-intelligent-controllers-arbitrary-file-access-vulnerability
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.