VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 28, 2022· Updated May 21, 2025

Possible command injection in Car Park Server in Carlo Gavazzi UWP3.0

CVE-2022-28811

Description

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to execute arbitrary OS commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Carlo Gavazzi UWP3.0 and CPY Car Park Server contain a remote unauthenticated OS command injection due to improper input validation.

Vulnerability

An improper input validation vulnerability exists in the API of Carlo Gavazzi UWP3.0 (multiple versions) and CPY Car Park Server (version 2.8.3). The flaw allows remote, unauthenticated attackers to inject arbitrary OS commands via a crafted parameter submitted to the API. [1]

Exploitation

An attacker can exploit this without authentication by sending a specially crafted request to the affected API endpoint, injecting OS commands. No user interaction is required. The attack is network-based, targeting the device's API. [1]

Impact

Successful exploitation leads to arbitrary OS command execution, giving the attacker full control over the device. This can result in complete compromise of confidentiality, integrity, and availability of the affected device and potentially the network it resides on. [1]

Mitigation

The vendor has released firmware updates for the affected products. Users are advised to update to the latest versions as indicated in the advisory [1]. Workarounds may include restricting network access to the API until patching is applied. [1]

References
  1. Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Carlosgavazzi/UWP3.0llm-fuzzy
    Range: multiple versions
  • Carlosgavazzi/CPY Car Park Serverllm-fuzzy2 versions
    = 2.8.3+ 1 more
    • (no CPE)range: = 2.8.3
    • (no CPE)range: 2
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controllerv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – EDP versionv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – Security Enhancedv5
    Range: 8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.