Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for OPC UA C++ SDK by Softing

    CVE-2025-7390 (GCVE-0-2025-7390)

    Vulnerability from nvd – Published: 2025-08-21 06:08 – Updated: 2026-03-27 08:36
    VLAI
    Title
    Bypass the client certificate trust check of an opc.https server while only secure communication is allowed
    Summary
    A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    Softing OPC UA C++ SDK Affected: 6.40 , ≤ 6.80 (custom)
    Unaffected: 6.80.1 (custom)
    Create a notification for this product.
    Softing edgeConnector Affected: 0 , ≤ 2025.03 (custom)
    Unaffected: SDEX Suite V1.0 (custom)
    Create a notification for this product.
    Softing edgeAggregator Affected: 0 , ≤ 2025.03 (custom)
    Unaffected: SDEX Suite V1.0 (custom)
    Create a notification for this product.
    Date Public
    2025-08-14 06:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7390",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-21T13:51:51.306799Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-21T13:53:15.381Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks/opc-ua-c-sdks-for-windows.html",
              "defaultStatus": "unaffected",
              "modules": [
                "opc.https server"
              ],
              "platforms": [
                "Windows",
                "Linux",
                "VxWorks"
              ],
              "product": "OPC UA C++ SDK",
              "vendor": "Softing",
              "versions": [
                {
                  "lessThanOrEqual": "6.80",
                  "status": "affected",
                  "version": "6.40",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.80.1",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://industrial.softing.com/de/produkte/docker-container/edgeconnector.html",
              "defaultStatus": "affected",
              "platforms": [
                "Linux"
              ],
              "product": "edgeConnector",
              "vendor": "Softing",
              "versions": [
                {
                  "lessThanOrEqual": "2025.03",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SDEX Suite V1.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://industrial.softing.com/de/produkte/docker-container/edgeaggregator.html",
              "defaultStatus": "affected",
              "platforms": [
                "Linux"
              ],
              "product": "edgeAggregator",
              "vendor": "Softing",
              "versions": [
                {
                  "lessThanOrEqual": "2025.03",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SDEX Suite V1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:*:*:windows:*:*:*:*:*",
                      "versionEndIncluding": "6.80",
                      "versionStartIncluding": "6.40",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:*:*:linux:*:*:*:*:*",
                      "versionEndIncluding": "6.80",
                      "versionStartIncluding": "6.40",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:*:*:vxworks:*:*:*:*:*",
                      "versionEndIncluding": "6.80",
                      "versionStartIncluding": "6.40",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:windows:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:vxworks:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:softing:edgeconnector:*:*:linux:*:*:*:*:*",
                      "versionEndIncluding": "2025.03",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:edgeconnector:sdex_suite_v1.0:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:softing:edgeaggregator:*:*:linux:*:*:*:*:*",
                      "versionEndIncluding": "2025.03",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:edgeaggregator:sdex_suite_v1.0:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "datePublic": "2025-08-14T06:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication."
                }
              ],
              "value": "A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-27T08:36:30.497Z",
            "orgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd",
            "shortName": "Softing"
          },
          "references": [
            {
              "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html"
            },
            {
              "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.json"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "OPC UA C++ SDK V6.80.1 Service-Patch\u003cbr\u003e"
                }
              ],
              "value": "OPC UA C++ SDK V6.80.1 Service-Patch"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "edgeAggregator \u0026amp; edgeConnector are now integrated in SDEX Suite: fix with V1.0"
                }
              ],
              "value": "edgeAggregator \u0026 edgeConnector are now integrated in SDEX Suite: fix with V1.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Bypass the client certificate trust check of an opc.https server while only secure communication is allowed",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd",
        "assignerShortName": "Softing",
        "cveId": "CVE-2025-7390",
        "datePublished": "2025-08-21T06:08:00.210Z",
        "dateReserved": "2025-07-09T13:09:38.988Z",
        "dateUpdated": "2026-03-27T08:36:30.497Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-1748 (GCVE-0-2022-1748)

    Vulnerability from nvd – Published: 2022-08-17 20:08 – Updated: 2025-04-16 16:13
    VLAI
    Title
    Softing Secure Integration Server NULL Pointer Dereference
    Summary
    Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    References
    Credits
    Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:16:59.941Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-1748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:53.897049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:13:15.237Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Secure Integration Server",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V1.22"
                }
              ]
            },
            {
              "product": "OPC UA C++ SDK",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V6.00"
                }
              ]
            },
            {
              "product": "edgeConnector Siemens",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V3.10"
                }
              ]
            },
            {
              "product": "edgeConnector 840D",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V3.10"
                }
              ]
            },
            {
              "product": "edgeConnector Modbus",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V3.10"
                }
              ]
            },
            {
              "product": "edgeAggregator",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V3.10"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-17T20:08:38.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:\nSofting Secure Integration Server V1.30 \n\nThe latest software packages can be downloaded from the Softing website. \n\nSofting recommends the following mitigations and workarounds: \nChange the admin password or create a new user with administrative rights and delete the default admin user. \nConfigure the Windows firewall to block network requests to IP port 9000. \nDisable the HTTP Server in NGINX configuration of the Softing Secure Integration Server, only using the HTTPS server. \nFor more details on these vulnerabilities and mitigations, users should see SYT-2022-7 on the Softing security website."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Softing Secure Integration Server NULL Pointer Dereference",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2022-1748",
              "STATE": "PUBLIC",
              "TITLE": "Softing Secure Integration Server NULL Pointer Dereference"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Secure Integration Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V1.22"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "OPC UA C++ SDK",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V6.00"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "edgeConnector Siemens",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V3.10"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "edgeConnector 840D",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V3.10"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "edgeConnector Modbus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V3.10"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "edgeAggregator",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V3.10"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Softing"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-476: NULL Pointer Dereference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
                },
                {
                  "name": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html",
                  "refsource": "CONFIRM",
                  "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:\nSofting Secure Integration Server V1.30 \n\nThe latest software packages can be downloaded from the Softing website. \n\nSofting recommends the following mitigations and workarounds: \nChange the admin password or create a new user with administrative rights and delete the default admin user. \nConfigure the Windows firewall to block network requests to IP port 9000. \nDisable the HTTP Server in NGINX configuration of the Softing Secure Integration Server, only using the HTTPS server. \nFor more details on these vulnerabilities and mitigations, users should see SYT-2022-7 on the Softing security website."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-1748",
        "datePublished": "2022-08-17T20:08:38.000Z",
        "dateReserved": "2022-05-16T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:13:15.237Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-7390 (GCVE-0-2025-7390)

    Vulnerability from cvelistv5 – Published: 2025-08-21 06:08 – Updated: 2026-03-27 08:36
    VLAI
    Title
    Bypass the client certificate trust check of an opc.https server while only secure communication is allowed
    Summary
    A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    Softing OPC UA C++ SDK Affected: 6.40 , ≤ 6.80 (custom)
    Unaffected: 6.80.1 (custom)
    Create a notification for this product.
    Softing edgeConnector Affected: 0 , ≤ 2025.03 (custom)
    Unaffected: SDEX Suite V1.0 (custom)
    Create a notification for this product.
    Softing edgeAggregator Affected: 0 , ≤ 2025.03 (custom)
    Unaffected: SDEX Suite V1.0 (custom)
    Create a notification for this product.
    Date Public
    2025-08-14 06:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7390",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-21T13:51:51.306799Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-21T13:53:15.381Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks/opc-ua-c-sdks-for-windows.html",
              "defaultStatus": "unaffected",
              "modules": [
                "opc.https server"
              ],
              "platforms": [
                "Windows",
                "Linux",
                "VxWorks"
              ],
              "product": "OPC UA C++ SDK",
              "vendor": "Softing",
              "versions": [
                {
                  "lessThanOrEqual": "6.80",
                  "status": "affected",
                  "version": "6.40",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "6.80.1",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://industrial.softing.com/de/produkte/docker-container/edgeconnector.html",
              "defaultStatus": "affected",
              "platforms": [
                "Linux"
              ],
              "product": "edgeConnector",
              "vendor": "Softing",
              "versions": [
                {
                  "lessThanOrEqual": "2025.03",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SDEX Suite V1.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://industrial.softing.com/de/produkte/docker-container/edgeaggregator.html",
              "defaultStatus": "affected",
              "platforms": [
                "Linux"
              ],
              "product": "edgeAggregator",
              "vendor": "Softing",
              "versions": [
                {
                  "lessThanOrEqual": "2025.03",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "SDEX Suite V1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:*:*:windows:*:*:*:*:*",
                      "versionEndIncluding": "6.80",
                      "versionStartIncluding": "6.40",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:*:*:linux:*:*:*:*:*",
                      "versionEndIncluding": "6.80",
                      "versionStartIncluding": "6.40",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:*:*:vxworks:*:*:*:*:*",
                      "versionEndIncluding": "6.80",
                      "versionStartIncluding": "6.40",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:windows:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:opc_ua_c_sdk:6.80.1:*:vxworks:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:softing:edgeconnector:*:*:linux:*:*:*:*:*",
                      "versionEndIncluding": "2025.03",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:edgeconnector:sdex_suite_v1.0:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:softing:edgeaggregator:*:*:linux:*:*:*:*:*",
                      "versionEndIncluding": "2025.03",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:softing:edgeaggregator:sdex_suite_v1.0:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "datePublic": "2025-08-14T06:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication."
                }
              ],
              "value": "A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-27T08:36:30.497Z",
            "orgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd",
            "shortName": "Softing"
          },
          "references": [
            {
              "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html"
            },
            {
              "url": "https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.json"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "OPC UA C++ SDK V6.80.1 Service-Patch\u003cbr\u003e"
                }
              ],
              "value": "OPC UA C++ SDK V6.80.1 Service-Patch"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "edgeAggregator \u0026amp; edgeConnector are now integrated in SDEX Suite: fix with V1.0"
                }
              ],
              "value": "edgeAggregator \u0026 edgeConnector are now integrated in SDEX Suite: fix with V1.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Bypass the client certificate trust check of an opc.https server while only secure communication is allowed",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "10de8ef9-5c89-4b17-8228-e97b74acf4bd",
        "assignerShortName": "Softing",
        "cveId": "CVE-2025-7390",
        "datePublished": "2025-08-21T06:08:00.210Z",
        "dateReserved": "2025-07-09T13:09:38.988Z",
        "dateUpdated": "2026-03-27T08:36:30.497Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-1748 (GCVE-0-2022-1748)

    Vulnerability from cvelistv5 – Published: 2022-08-17 20:08 – Updated: 2025-04-16 16:13
    VLAI
    Title
    Softing Secure Integration Server NULL Pointer Dereference
    Summary
    Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    References
    Credits
    Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:16:59.941Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-1748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:53.897049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:13:15.237Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Secure Integration Server",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V1.22"
                }
              ]
            },
            {
              "product": "OPC UA C++ SDK",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V6.00"
                }
              ]
            },
            {
              "product": "edgeConnector Siemens",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V3.10"
                }
              ]
            },
            {
              "product": "edgeConnector 840D",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V3.10"
                }
              ]
            },
            {
              "product": "edgeConnector Modbus",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V3.10"
                }
              ]
            },
            {
              "product": "edgeAggregator",
              "vendor": "Softing",
              "versions": [
                {
                  "status": "affected",
                  "version": "V3.10"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-17T20:08:38.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:\nSofting Secure Integration Server V1.30 \n\nThe latest software packages can be downloaded from the Softing website. \n\nSofting recommends the following mitigations and workarounds: \nChange the admin password or create a new user with administrative rights and delete the default admin user. \nConfigure the Windows firewall to block network requests to IP port 9000. \nDisable the HTTP Server in NGINX configuration of the Softing Secure Integration Server, only using the HTTPS server. \nFor more details on these vulnerabilities and mitigations, users should see SYT-2022-7 on the Softing security website."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Softing Secure Integration Server NULL Pointer Dereference",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2022-1748",
              "STATE": "PUBLIC",
              "TITLE": "Softing Secure Integration Server NULL Pointer Dereference"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Secure Integration Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V1.22"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "OPC UA C++ SDK",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V6.00"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "edgeConnector Siemens",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V3.10"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "edgeConnector 840D",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V3.10"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "edgeConnector Modbus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V3.10"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "edgeAggregator",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "V3.10"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Softing"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-476: NULL Pointer Dereference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
                },
                {
                  "name": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html",
                  "refsource": "CONFIRM",
                  "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:\nSofting Secure Integration Server V1.30 \n\nThe latest software packages can be downloaded from the Softing website. \n\nSofting recommends the following mitigations and workarounds: \nChange the admin password or create a new user with administrative rights and delete the default admin user. \nConfigure the Windows firewall to block network requests to IP port 9000. \nDisable the HTTP Server in NGINX configuration of the Softing Secure Integration Server, only using the HTTPS server. \nFor more details on these vulnerabilities and mitigations, users should see SYT-2022-7 on the Softing security website."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-1748",
        "datePublished": "2022-08-17T20:08:38.000Z",
        "dateReserved": "2022-05-16T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:13:15.237Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }