Third-party Vulnerability

Note: Axeda Agent and Axeda Desktop Server are third-party software components no longer used in BD products. BD is proactively reaching out to customers who may still have Axeda in limited instances to assist in removing this application.

BD is aware of and currently monitoring vulnerabilities affecting all versions of Axeda Agent and Axeda Desktop Server for Windows Operating Systems. This third-party vulnerability is not specific to BD or our products. Additionally, we have not received any reports of this vulnerability being exploited on BD products. BD is providing this update to let customers know which BD products could be affected by the following third-party Axeda vulnerabilities:

• CVE-2022-25246 – AxedaDesktopServer.exe – The affected product uses hardcoded credentials for its UltraVNC installation. Successful exploitation of this vulnerability could allow a remote authenticated attacker to take full remote control of host operating system via Remote Desktop Connection.

• CVE-2022-25247 – ERemoteServer, System Access – The affected product may allow an attacker to send certain commands to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to obtain full file-system access and remote code execution.

• CVE-2022-25248 – ERemoteServer, Event Text Log – When connecting to a certain port the affected product supplies the event log of the specific service.

• CVE-2022-25249 – xGate and EKernel, Directory Traversal – The affected product (does not apply to Axeda agent 6.9.2 and 6.9.3) is vulnerable to directory traversal, which could allow a remote, unauthenticated attacker to obtain file system read access via web server.

• CVE-2022-25250 – xGate and EKernel, Shut Down – The affected product may allow an attacker to send a certain command to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to shut down a specific service.

• CVE-2022-25251 – xGate and EKernel, Read and modify agent configuration – The affected product may allow an attacker to send certain XML messages to a specific port without proper authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to read and modify the affected product’s configuration.

• CVE-2022-25252 – xBase39 – The affected product when receiving certain input throws an exception. Services using that function do not handle the exception. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to crash the affected product.