CVE-2022-22526 is a critical security vulnerability identified in Carlo Gavazzi's UWP 3.0 Monitoring Gateway and Controller, as well as the CPY Car Park Server version 2.8.3. The vulnerability is classified under CWE-306, which refers to missing authentication for a critical function. Specifically, this flaw allows unauthenticated attackers to gain full access to the device's API without any form of authentication or user interaction. The affected product, UWP 3.0 Monitoring Gateway and Controller, is used for monitoring and controlling various industrial and building automation systems. Due to the missing authentication mechanism, an attacker can remotely interact with the device’s API over the network (as indicated by the CVSS vector AV:N), potentially leading to complete compromise of confidentiality, integrity, and availability of the system. The vulnerability has a CVSS v3.1 base score of 9.8, indicating a critical severity level. The attack complexity is low (AC:L), no privileges or user interaction are required (PR:N/UI:N), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no public exploits have been reported in the wild yet, the nature of the vulnerability makes it highly exploitable by threat actors. The lack of authentication means that any attacker with network access to the device can execute arbitrary commands, manipulate data, disrupt operations, or potentially pivot to other connected systems within the network. This vulnerability poses a significant risk to environments relying on Carlo Gavazzi’s UWP 3.0 devices for critical infrastructure monitoring and control, especially in industrial automation, building management, and parking systems.

For European organizations, this vulnerability presents a severe risk, particularly for those in sectors such as manufacturing, energy, transportation, and smart building management where Carlo Gavazzi’s UWP 3.0 Monitoring Gateway and Controller devices are deployed. Exploitation could lead to unauthorized control over critical infrastructure components, resulting in operational disruptions, safety hazards, data breaches, and potential financial losses. The ability to fully access the API without authentication could allow attackers to manipulate sensor data, disable alarms, or cause system malfunctions, which may have cascading effects on industrial processes or building security. Furthermore, given the interconnected nature of industrial control systems (ICS) and operational technology (OT) networks, a compromise could facilitate lateral movement and broader network infiltration. This is particularly concerning in Europe where regulatory frameworks such as NIS2 and GDPR impose strict requirements on cybersecurity and data protection. Organizations failing to address this vulnerability risk non-compliance penalties and reputational damage. Additionally, the criticality of the vulnerability and ease of exploitation make it an attractive target for cybercriminals and nation-state actors aiming to disrupt European critical infrastructure or conduct espionage.

1. Immediate action should be taken to identify all instances of Carlo Gavazzi UWP 3.0 Monitoring Gateway and Controller and CPY Car Park Server devices within the network. 2. Since no official patches are currently available, organizations should implement network-level access controls to restrict access to these devices’ management interfaces and APIs. This includes isolating the devices on segmented networks or VLANs with strict firewall rules permitting access only from trusted management stations. 3. Employ network intrusion detection and prevention systems (IDS/IPS) to monitor and block suspicious API traffic targeting these devices. 4. Where possible, disable remote management interfaces or restrict them to secure VPN connections with strong authentication. 5. Monitor device logs and network traffic for unusual activity indicative of exploitation attempts. 6. Engage with Carlo Gavazzi support channels to obtain any available firmware updates or security advisories and apply patches promptly once released. 7. Develop and test incident response plans specific to these devices to ensure rapid containment and recovery in case of compromise. 8. Conduct regular security assessments and penetration testing focusing on OT and ICS environments to identify similar vulnerabilities proactively.