Cognex 3D-A1000 Dimensioning System

Act Now9.8ICS-CERT ICSA-22-249-03Sep 6, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Cognex 3D-A1000 Dimensioning System contains multiple authentication and access control vulnerabilities (CWE-306, CWE-117, CWE-602) in firmware version 1.0.3 and prior. These allow unauthenticated attackers to change passwords, escalate privileges, falsify password logs, and bypass web-based access controls without requiring valid credentials or user interaction.

What this means

What could happen

An attacker with network access to the 3D-A1000 could change admin passwords, escalate privileges, and bypass web access controls, potentially allowing them to manipulate dimensional measurement data or disable the system entirely.

Who's at risk

Manufacturers and logistics companies using Cognex 3D-A1000 Dimensioning Systems for automated package measurement and quality control should be concerned. This device is often deployed at shipping centers, warehouses, and production lines where it feeds measurement data to downstream systems and conveyor controls.

How it could be exploited

An attacker on the network can send unauthenticated requests to the web interface of the 3D-A1000 to exploit CWE-306 (missing authentication) and CWE-602 (client-side enforcement of server-side security) vulnerabilities. This allows password changes and privilege escalation without valid credentials, and can be chained to alter system behavior or disable the device remotely.

Prerequisites

Network access to the 3D-A1000 web interface (default port or configured port)
No authentication required for initial exploitation

Remotely exploitableNo authentication requiredLow complexityCritical CVSS score (9.8)Affects measurement/control system

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

3D-A1000 Dimensioning System - Cognex 3D-A1000 Dimensioning System: Firmware Version: 1.0.3 (3354) and prior≤ 1.0.3 (3354)1.2 PR2 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the 3D-A1000 web interface using firewall rules; allow only from trusted engineering workstations and block Internet-facing access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade firmware to version 1.2 PR2 or later

Long-term hardening

0/2

HARDENINGSegment the 3D-A1000 and other dimensioning systems onto a dedicated industrial network isolated from business networks and the Internet

HARDENINGIf remote access is required, use a VPN with current security patches and multi-factor authentication

CVEs (3)

CVE-2022-1368 CVE-2022-1522 CVE-2022-1525

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fd01d900-f5e3-40ed-a21d-a7b926ccb995