VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 28, 2022· Updated May 20, 2025

SQL-Injection in Carlo Gavazzi UWP 3.0 Sentilo Proxy

CVE-2022-28815

Description

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Carlo Gavazzi Sentilo Proxy server allows attackers to query arbitrary database tables in UWP3.0 and CPY Car Park Server.

Vulnerability

A SQL injection vulnerability exists in the Sentilo Proxy server component of Carlo Gavazzi UWP3.0 (multiple versions) and CPY Car Park Server (version 2.8.3). The flaw allows an attacker to query other tables of the Sentilo service by injecting malicious SQL statements into the proxy's input [1].

Exploitation

An attacker with network access to the Sentilo Proxy server can exploit this vulnerability without prior authentication. By sending specially crafted requests containing SQL injection payloads, the attacker can manipulate the underlying database queries to retrieve data from arbitrary tables [1].

Impact

Successful exploitation enables the attacker to read sensitive information from the Sentilo database, potentially including credentials, configuration data, or other stored information. The advisory notes that an attacker can gain full access to the affected devices, indicating that this SQL injection may be a stepping stone to broader compromise [1].

Mitigation

As of the advisory publication date (2022-09-26), no specific patch or workaround is disclosed in the available reference [1]. Users are advised to contact Carlo Gavazzi Automation for updated firmware versions and to restrict network access to the Sentilo Proxy server as a temporary measure.

References
  1. Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Carlosgavazzi/CPY Car Park Serverllm-fuzzy2 versions
    = 2.8.3+ 1 more
    • (no CPE)range: = 2.8.3
    • (no CPE)range: 2
  • Carlosgavazzi/UWP 3.0llm-fuzzy
    Range: multiple versions
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controllerv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – EDP versionv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – Security Enhancedv5
    Range: 8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.