ToolboxST versions prior to version 7.10 are affected by a deserialization vulnerability. An attacker with local access to an HMI, or who has conducted a social engineering attack on an authorized operator, could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file.
Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time, customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.
CVE-2023-1552
GE
ToolboxST
6.4
Team82 is committed to privately reporting vulnerabilities to affected vendors in a coordinated, timely manner in order to ensure the safety of the cybersecurity ecosystem worldwide. To engage with the vendor and research community, Team82 invites you to download and share our Coordinated Disclosure Policy. Team82 will adhere to this reporting and disclosure process when we discover vulnerabilities in products and services.
Team82 has also made its public PGP Key available for the vendor and research community to securely and safely exchange vulnerability and research information with us.