Lilee Systems/Alstom Rail CMU-2110 | Dragos Skip to main content
Security Advisory

Lilee Systems/Alstom Rail CMU-2110

Risk Information

Limited Threat

CVE ID

CVE-2022-23407

CVE-2022-23406

CVE-2022-23405

CVE-2022-23404

Vunerability Type

Unauthenticated firmware update

Backdoor accounts including remote ‘root’ access

Unprotected bootloader access via Diagnostic Port

PTC Message Access and Manipulation

CVSS3 Score

10

10

9.6

9.8

CVSSv3 Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affecting

  • v2.6_build38. Other versions may also be affected

    • Mitigation

    Lilee has not released a patch to resolve this issue.

    01/24/2022