An information disclosure vulnerability exists in Schneider Electric SoMachine HVAC due to a method in the ‘AxEditGrid3.ocx’ ActiveX control leaking a heap address of an ActiveX object. An attacker can entice a user to open a specially crafted web page to leak Internet Explorer process memory information.
- Exodus Intelligence: EIP-50a1e402
- MITRE: CVE-2022-2988
- CVSSv2 Score: 5.0
- Exodus Intelligence
- Disclosed to affected vendor: December 10th, 2021
- Disclosed to public: January 12th, 2023
Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at firstname.lastname@example.org.
Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program (RSP).