VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 28, 2022· Updated May 21, 2025

Hard-coded credentials in Carlo Gavazzi UWP3.0 allows for authentication bypass and full control of the device

CVE-2022-22522

Description

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to the device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hard-coded credentials in Carlo Gavazzi UWP3.0 and CPY Car Park Server allow remote unauthenticated attackers to gain full device access.

Vulnerability

Carlo Gavazzi UWP3.0 (multiple versions) and CPY Car Park Server version 2.8.3 contain hard-coded credentials embedded in the device firmware and web interface. An attacker who can reach the device over the network can use these credentials to authenticate without any prior knowledge or access.

Exploitation

A remote, unauthenticated attacker with network access to the affected device can leverage the hard-coded credentials to log in to the web interface or other services. No user interaction or special privileges are required. The attacker simply identifies the device and uses the known credentials to gain authenticated access.

Impact

Successful exploitation grants the attacker full administrative access to the device. This includes the ability to read and modify configuration settings, control device operations, and potentially disrupt services or cause physical damage depending on the deployment context.

Mitigation

Carlo Gavazzi has released firmware updates to address this vulnerability; users should upgrade to the latest version provided by the vendor. If patching is not immediately possible, restrict network access to the device to trusted hosts only and monitor for unauthorized access attempts. [1]

References
  1. Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Carlosgavazzi/UWP3.0llm-create
  • Carlosgavazzi/CPY Car Park Serverllm-create2 versions
    = 2.8.3+ 1 more
    • (no CPE)range: = 2.8.3
    • (no CPE)range: 2
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controllerv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – EDP versionv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – Security Enhancedv5
    Range: 8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.