Command injection in restore function of Carlo Gavazzi UWP3.0 allows for command injection
Description
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Carlo Gavazzi UWP3.0 and CPY Car Park Server 2.8.3 allow authenticated remote attackers to execute arbitrary commands via unsanitized input in the backup restore function.
Vulnerability
The backup restore function in Carlo Gavazzi UWP3.0 (multiple versions) and CPY Car Park Server version 2.8.3 lacks input sanitization, allowing command injection. An attacker with administrative privileges can exploit this flaw to execute arbitrary operating system commands on the device. The affected products are part of the UWP 3.0 family of Monitoring Gateways and Controllers and the CPY Car Park Server [1].
Exploitation
An attacker must have network access to the device and possess valid administrative credentials. The attacker can craft a malicious backup file or input that, when processed by the restore function, injects arbitrary commands. The restore function does not validate or sanitize the input, leading to command execution with the privileges of the device's runtime environment [1].
Impact
Successful exploitation allows the attacker to execute arbitrary commands on the affected device, leading to full system compromise. This can result in unauthorized data access, modification, or deletion, as well as potential disruption of device operations. The attacker gains complete control over the device's functionality [1].
Mitigation
Carlo Gavazzi has released firmware updates to address this vulnerability. Users should update UWP3.0 devices to the latest available version and CPY Car Park Server to a patched version as specified in the vendor advisory. No workarounds are documented; applying the fix is the recommended mitigation [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6= 2.8.3+ 1 more
- (no CPE)range: = 2.8.3
- (no CPE)range: 2
- Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controllerv5Range: 8
- Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – EDP versionv5Range: 8
- Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – Security Enhancedv5Range: 8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- cert.vde.com/en/advisories/VDE-2022-029/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.