CVE-2022-28813 is a high-severity SQL injection vulnerability affecting Carlo Gavazzi's UWP 3.0 Monitoring Gateway and Controller, as well as the CPY Car Park Server version 2.8.3. The vulnerability arises from improper sanitization of user-supplied input in the affected products, allowing a remote, unauthenticated attacker to inject malicious SQL queries. Exploitation of this flaw enables the attacker to access a volatile temporary database that holds the current states of the device. This temporary database likely contains sensitive operational data about the monitored systems. The vulnerability is classified under CWE-89 (SQL Injection), which is a common and critical web application security flaw. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the ease of remote exploitation without authentication or user interaction, and the potential for confidentiality breach. However, the vulnerability does not impact integrity or availability directly, as the attacker gains read-only access to the temporary database. No known exploits have been reported in the wild as of the publication date. The affected product is version 8 of UWP 3.0 Monitoring Gateway and Controller, which is used for monitoring and controlling industrial and building automation systems. The lack of a patch link suggests that a fix may not have been publicly released at the time of this report. The vulnerability was reserved in April 2022 and published in September 2022 by CERTVDE, indicating responsible disclosure and coordination.

For European organizations, this vulnerability poses a significant risk, especially for those in industrial automation, building management, and smart infrastructure sectors that utilize Carlo Gavazzi's UWP 3.0 Monitoring Gateway and Controller or CPY Car Park Server. Unauthorized access to the temporary database could expose sensitive operational data, potentially revealing system states, configurations, or usage patterns. This information leakage could aid attackers in planning further targeted attacks or industrial espionage. Although the vulnerability does not allow direct system control or denial of service, the confidentiality breach alone can have serious implications for critical infrastructure and commercial confidentiality. European organizations operating in sectors such as manufacturing, energy management, transportation, and smart city infrastructure could be particularly affected. The remote and unauthenticated nature of the exploit increases the attack surface, as attackers do not need credentials or physical access. This elevates the risk for organizations with internet-facing installations or insufficient network segmentation. Given the strategic importance of industrial control systems in Europe and the increasing focus on cybersecurity in critical infrastructure, this vulnerability demands prompt attention.

Organizations should immediately assess their exposure by identifying installations of Carlo Gavazzi UWP 3.0 Monitoring Gateway and Controller version 8 and CPY Car Park Server 2.8.3. Network segmentation should be enforced to isolate these devices from direct internet access and restrict access to trusted management networks only. Deploying Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts can provide an additional layer of defense. Since no official patch link is provided, organizations should engage with Carlo Gavazzi for updates or workarounds. In the interim, disabling or limiting remote access to the affected devices can reduce risk. Regular monitoring of device logs for suspicious activity indicative of SQL injection attempts is recommended. Additionally, implementing strict input validation and sanitization on any interfaces exposed by these products, if customizable, can mitigate exploitation. Organizations should also consider deploying intrusion detection systems (IDS) tuned to detect SQL injection patterns targeting these devices. Finally, maintaining an incident response plan tailored to industrial control system breaches will help in rapid containment if exploitation occurs.