Experts found 11 security flaws in a parking management system

October 7, 2022
Experts 11 Security Flaws Vulnerabilities Parking Management System CPY Car Park Server

About 11 security flaws had been found inside a car parking management system, CPY Car Park Server, owned by an Italy-based firm Carlo Gavazzi, which exposes its users to cyberattacks.

According to the experts that discovered the vulnerabilities, if not immediately patched, they could pose risks to users as it allows hackers to access the affected products and devices fully. After learning about the threats, the vendor immediately released patches for the affected products earlier this year.

Aside from the CPY Car Park Server, Carlo Gavazzi’s UWP 3.0 monitoring gateway and controller were also affected by the discovered vulnerabilities. Researchers explained that the impacted UWP product is essential for the CPY Car Park Server as it is used for monitoring and controlling other devices in a parking lot, so users would know if there is an available parking spot. The sensors in each parking spot detect a car’s presence in a parking area, which subsequently reports to the CPY Car Park Server to aggregate the data, provide analytics, and orchestrate the whole procedure.

 

The security flaws found in the parking management system are related to hardcoded credentials, missing authentication, SQL injection, path traversals, improper input validation, and some other high-severity disputes.

 

Experts added that threat actors could abuse the vulnerabilities to bypass authentication, steal critical data, and execute commands that will allow them to have full control of an affected product remotely.

Despite the concerns raised about these findings on the parking management system, the researchers are relieved to realise that threat actors must still have access to the targeted network to abuse the security flaws, which is a difficult procedure to achieve.

Nonetheless, users and the affected entity must not be complacent. Because given the chance that a hacker could gain access to a network, severe damage could be done, and their security could be compromised.

The researchers mentioned some attack scenarios if the flaws had been exploited, including hackers modifying and falsifying monitoring data and controlling nested devices for disrupting operations and physical processes.

The vendor then released the latest versions of the affected products to address the issue of critical flaws and potential exposure of users to cyberattacks. Thus, it is recommended for users to patch their devices immediately.

About the author