VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 28, 2022· Updated May 21, 2025

Missing authentication for API in Carlo Gavazzi UWP 3.0 Car Park Server

CVE-2022-22526

Description

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authentication in Carlo Gavazzi UWP3.0 and CPY Car Park Server allows full API access without credentials.

Vulnerability

The vulnerability is a missing authentication flaw in the Carlo Gavazzi UWP 3.0 family of Monitoring Gateways and Controllers (multiple versions) and the CPY Car Park Server (version 2.8.3). The API endpoints do not require any authentication, allowing unauthenticated access to the device's API [1].

Exploitation

An attacker with network access to the affected device can directly call the API without any prior authentication, user interaction, or special privileges. The only requirement is that the device is reachable over the network [1].

Impact

Successful exploitation grants the attacker full access to the device via the API. This can lead to complete compromise of the device's functionality, including potential control, data disclosure, and disruption of services [1].

Mitigation

Carlo Gavazzi has released firmware updates for the affected products. Users should update to the latest firmware version as provided by the vendor. For specific version details, refer to the vendor advisory [1]. If patching is not immediately possible, isolate the devices from untrusted networks as a workaround.

References
  1. Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Carlosgavazzi/UWP 3.0llm-create
  • Carlosgavazzi/CPY Car Park Serverllm-fuzzy2 versions
    2.8.3+ 1 more
    • (no CPE)range: 2.8.3
    • (no CPE)range: 2
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controllerv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – EDP versionv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – Security Enhancedv5
    Range: 8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.