S2Opc
Monthly
Improper certificate trust validation in Systerel S2OPC allows remote attackers to have well-formed but untrusted X.509 certificates accepted as trusted, undermining the OPC UA secure channel authentication model. CVSS 7.3 reflects network-reachable, unauthenticated exploitation with low impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The flaw is reported by GitLab and tracked in Systerel's public issue tracker, with no CISA KEV listing.
Improper certificate revocation checking in S2OPC's CycloneCrypto wrapper permits OPC UA connections authenticated with revoked certificates. The library evaluates only the first Certificate Revocation List (CRL) matching a given CA and silently discards any additional valid CRLs issued by that same CA - meaning a certificate listed exclusively in a secondary CRL passes validation unchallenged. With CVSS 5.6 (AV:N/AC:H/PR:N/UI:N), all published versions of systerel/s2opc are affected per CPE. No public exploit code or CISA KEV listing has been identified at time of analysis.
Improper certificate trust validation in Systerel S2OPC allows remote attackers to have well-formed but untrusted X.509 certificates accepted as trusted, undermining the OPC UA secure channel authentication model. CVSS 7.3 reflects network-reachable, unauthenticated exploitation with low impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The flaw is reported by GitLab and tracked in Systerel's public issue tracker, with no CISA KEV listing.
Improper certificate revocation checking in S2OPC's CycloneCrypto wrapper permits OPC UA connections authenticated with revoked certificates. The library evaluates only the first Certificate Revocation List (CRL) matching a given CA and silently discards any additional valid CRLs issued by that same CA - meaning a certificate listed exclusively in a secondary CRL passes validation unchallenged. With CVSS 5.6 (AV:N/AC:H/PR:N/UI:N), all published versions of systerel/s2opc are affected per CPE. No public exploit code or CISA KEV listing has been identified at time of analysis.