CVE-2023-1552

CVE-2023-1552 is a medium-severity vulnerability in Ge Toolboxst with a CVSS 3.x base score of 6.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-502.

Key facts

Description

ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.  Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.

Frequently asked questions

What is CVE-2023-1552?
ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.  Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.
How severe is CVE-2023-1552?
CVE-2023-1552 has a CVSS 3.x base score of 6.4, rated medium severity. It is exploitable over local access with high attack complexity, requires high privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
Is CVE-2023-1552 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (15th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-1552?
CVE-2023-1552 affects Ge Toolboxst. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-1552?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2023-1552 published?
CVE-2023-1552 was published on 2023-04-11 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Ge Toolboxst

All CVEs affecting Ge Toolboxst →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →