CVE-2022-28814 is a critical security vulnerability identified in Carlo Gavazzi's UWP 3.0 Monitoring Gateway and Controller, as well as the CPY Car Park Server version 2.8.3. The vulnerability is classified as a CWE-23 Relative Path Traversal flaw. This type of vulnerability allows an attacker to manipulate file paths in such a way that they can access files and directories outside the intended scope of the application. Specifically, an attacker can craft requests that traverse directories on the affected device's file system, enabling unauthorized reading of arbitrary files. The vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact of exploitation is severe, granting attackers full control over the device, which implies the ability to modify, delete, or execute files, potentially leading to complete system compromise. The CVSS v3.1 base score of 9.8 reflects the critical nature of this vulnerability, with high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the ease of exploitation and the critical impact make it a significant threat. The vulnerability affects version 8 of the UWP 3.0 product line, which is used for monitoring and controlling industrial and building automation systems, including car park management. Given the role of these devices in operational technology environments, exploitation could disrupt critical infrastructure operations or lead to unauthorized data disclosure and control.

For European organizations, the exploitation of CVE-2022-28814 could have severe consequences. The affected devices are typically deployed in industrial automation, building management, and parking infrastructure, sectors that are integral to urban infrastructure and industrial operations across Europe. Successful exploitation could lead to unauthorized disclosure of sensitive operational data, disruption of automated control systems, and potential physical safety risks if critical systems are manipulated. This could result in operational downtime, financial losses, regulatory penalties under GDPR if personal data is exposed, and reputational damage. Additionally, given the critical infrastructure nature of these systems, there is a risk of cascading effects impacting other connected systems. The lack of authentication requirement and remote exploitability increase the risk of widespread attacks, especially in environments where these devices are accessible from less secure networks or the internet.

To mitigate this vulnerability, European organizations should take immediate and specific actions beyond generic patching advice. First, they should identify all instances of Carlo Gavazzi UWP 3.0 Monitoring Gateway and Controller devices, especially version 8, and CPY Car Park Server 2.8.3 within their networks. Network segmentation should be enforced to isolate these devices from general IT networks and restrict access to trusted management stations only. Implement strict firewall rules to block unauthorized inbound traffic to these devices, particularly from untrusted external networks. Since no official patches are currently linked, organizations should contact Carlo Gavazzi for any available security updates or workarounds. In the interim, monitor device logs and network traffic for unusual file access patterns or unexpected commands indicative of exploitation attempts. Employ intrusion detection systems with custom signatures targeting path traversal attack patterns. Additionally, consider deploying application-layer gateways or reverse proxies that can sanitize and validate input paths to prevent traversal sequences. Finally, develop and test incident response plans specific to industrial control system compromises to ensure rapid containment if exploitation occurs.