Pilz: Multiple products affected by ZipSlip

MonitorCVSS 5.5VDE-2022-044Nov 24, 2022

Pilz

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple Pilz software products do not properly validate file paths contained in ZIP archives. An attacker can exploit this ZipSlip vulnerability to write arbitrary files to the system, potentially achieving code execution or unauthorized modification of safety configurations. Affected products: PAScal, PASconnect, PASmotion, PNOZmulti Configurator (both standard and LTS versions). The vulnerability requires user interaction—a victim must open or import a malicious archive—but does not require authentication or special privileges.

What this means

What could happen

An attacker could write arbitrary files to a system running these Pilz tools by supplying a malicious archive, potentially leading to code execution or unauthorized modification of safety system configurations.

Who's at risk

Organizations using Pilz safety software products (PAScal, PASconnect, PASmotion, PNOZmulti Configurator) for configuring and managing safety-critical control systems and emergency stop logic in manufacturing, process automation, and machinery control environments.

How it could be exploited

An attacker crafts a ZIP archive with path traversal entries (e.g., ../../../malicious_file) and tricks a user into opening or importing it into one of the affected Pilz software products. The application fails to validate archive paths and extracts files outside the intended directory, allowing the attacker to overwrite system files or inject code.

Prerequisites

User interaction: victim must open or import a malicious ZIP archive in the affected Pilz software
Local file system access to the machine running the Pilz software
No special privileges or valid credentials required

No authentication requiredUser interaction required (reduces likelihood but not severity)Affects safety system configuration toolsLow complexity to exploit with crafted ZIP archive

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (5)

4 with fix1 pending

ProductAffected VersionsFix Status

PAScal <=1.9.1≤ 1.9.1No fix yet

PASconnect <1.4.0<1.4.01.4.0+

PASmotion <1.4.1<1.4.11.4.1+

PNOZmulti Configurator <11.2.0<11.2.011.2.0+

PNOZmulti Configurator LTS <10.14.4<10.14.411.2.0+

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict file import and archive handling to trusted, internal sources only; train users not to open archives from unknown or untrusted origins

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Pilz directly or check www.pilz.com/en-INT/eshop for patched versions and apply updates to PAScal, PASconnect, PASmotion, and PNOZmulti Configurator

Long-term hardening

0/1

HARDENINGImplement file system monitoring or integrity checks on machines running these Pilz tools to detect unexpected file creation or modification in critical system directories

CVEs (1)

CVE-2022-40976

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2c2427a1-7e60-4353-a391-747151877745

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.