CVE-2023-1552
CVE-2023-1552 is a medium-severity vulnerability in Ge Toolboxst with a CVSS 3.x base score of 6.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-502.
Key facts
- Severity: Medium (CVSS 3.x base score 6.4)
- EPSS exploit prediction: 0% (15th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-502
- Affected product: Ge Toolboxst
- Published:
- Last modified:
Description
ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors. Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.
Frequently asked questions
- What is CVE-2023-1552?
- ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors. Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.
- How severe is CVE-2023-1552?
- CVE-2023-1552 has a CVSS 3.x base score of 6.4, rated medium severity. It is exploitable over local access with high attack complexity, requires high privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
- Is CVE-2023-1552 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (15th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-1552?
- CVE-2023-1552 affects Ge Toolboxst. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-1552?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-1552 published?
- CVE-2023-1552 was published on 2023-04-11 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:ge:toolboxst:*:*:*:*:*:*:*:*
More vulnerabilities in Ge Toolboxst
- CVE-2021-44477 — High (CVSS 7.5): GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD…
All CVEs affecting Ge Toolboxst →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →