CVE-2022-22524 is a critical SQL Injection vulnerability (CWE-89) affecting Carlo Gavazzi's UWP 3.0 Monitoring Gateway and Controller, as well as CPY Car Park Server version 2.8.3. This vulnerability allows an unauthenticated remote attacker to exploit improper input validation in the affected products to execute arbitrary SQL commands on the backend database. Exploitation does not require any authentication or user interaction, making it highly accessible to attackers. Successful exploitation can lead to full database compromise, including unauthorized data disclosure (confidentiality impact), unauthorized modification of user accounts (integrity impact), and disruption or stoppage of services (availability impact). The vulnerability has a CVSS v3.1 base score of 9.4, indicating critical severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality (high), integrity (low), and availability (high). Although no public exploits are currently known in the wild, the severity and ease of exploitation make this a significant threat. The affected product, UWP 3.0 Monitoring Gateway and Controller, is used in industrial automation and building management systems, which often integrate critical infrastructure monitoring and control. The CPY Car Park Server is used for parking management, which may also be integrated into broader facility management systems. The vulnerability arises from unsafe SQL query construction, allowing attackers to inject malicious SQL statements that can manipulate or extract sensitive data and disrupt system operations.

For European organizations, this vulnerability poses a substantial risk, especially those in industrial automation, building management, and facility services sectors that deploy Carlo Gavazzi's UWP 3.0 products or CPY Car Park Server. Exploitation could lead to unauthorized access to sensitive operational data, manipulation of user credentials, and service outages, potentially disrupting critical infrastructure and business continuity. Confidentiality breaches could expose sensitive operational parameters or personal data, leading to compliance violations under GDPR. Integrity compromises could allow attackers to create or modify user accounts, potentially establishing persistent unauthorized access. Availability impacts could halt monitoring and control functions, affecting safety and operational efficiency. Given the criticality of these systems in sectors such as manufacturing, energy, transportation, and smart buildings across Europe, the threat could have cascading effects on safety, regulatory compliance, and operational resilience.

Organizations should immediately identify and inventory all instances of Carlo Gavazzi UWP 3.0 Monitoring Gateway and Controller and CPY Car Park Server version 2.8.3 or earlier. Since no official patches are currently linked, organizations should contact Carlo Gavazzi for security updates or mitigations. In the interim, network-level controls should be implemented to restrict access to affected systems, limiting exposure to trusted management networks only. Deploy Web Application Firewalls (WAFs) or intrusion prevention systems (IPS) with SQL Injection detection and prevention capabilities to monitor and block malicious payloads targeting these products. Conduct thorough input validation and parameterization of SQL queries in any custom integrations or scripts interfacing with these products. Monitor logs for unusual database queries or service disruptions indicative of exploitation attempts. Additionally, implement strict access controls and multi-factor authentication on management interfaces to reduce risk from compromised credentials. Regularly back up critical data and configurations to enable recovery in case of service disruption or data tampering. Finally, raise awareness among operational technology (OT) and IT security teams about this vulnerability to ensure rapid detection and response.