ToolBoxST prior to Version 7.8.0 uses a vulnerable version of the Ionic .NET Zip library that does not properly sanitize path names allowing files to be extracted to a location above their parent directory and back to the root directory. If an attacker compromises an HMI or creates their own SDI client, they can upload the file from a controller, patch it to contain a malicious file and path, and download it back to the controller. The next user to perform an upload could grab the malicious and extract it to their HMI, creating the potential for arbitrary write, overwrite, and execution.

Risk Information

  • CVE ID
  • CVE-2021-44477
  • Vendor
  • GE
  • Product
  • ToolBoxST
  • CVSS v3
  • 7.5