CVE-2022-2561 Connectivity Explorer file vulnerability (ZDI-CAN-16596)
The Connectivity Explorer (part of QuickOPC) allows the user to save and load XML files with list of "Live Points". When opening the file, the Connectivity Explorer does not treat it as untrusted data. This allows the attacker to craft a special file which will then execute commands on the user's computer.
The vulnerability is not related to OPC communication.
The vulnerability does not affect user software created with QuickOPC, because it is only present in the Connectivity Explorer application, which is not redistributable.
The Connectivity Explorer does not associate a file extension with its files. Consequently, clicking/double-clicking on a malicious file does not trigger the vulnerability. The vulnerability can only be exploited by explicitly opening the file from the Connectivity Explorer application by the user.
Affected are all Connectivity Explorer versions lower than 5.63.246 (QuickOPC 2022.1 build 246).
The Connectivity Explorer now restricts the types that are allowed to load.
Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative.