CVE-2022-4987 Overview
CVE-2022-4987 affects Hirschmann Industrial HiVision, a network management platform used in operational technology (OT) environments. The flaw resides in the execution of user-configured external applications and stems from insufficient path sanitization [CWE-426]. A local attacker who can write to a directory in the resolution path can place a malicious binary that the application loads instead of the intended executable. Successful exploitation results in arbitrary code execution under the privilege context of the external application, which may include elevated privileges. Versions 08.1.03 prior to 08.1.04 and version 08.2.00 are affected.
Critical Impact
Local attackers can hijack the execution path of external applications launched by Industrial HiVision and run arbitrary binaries, potentially with elevated privileges, on systems managing industrial network infrastructure.
Affected Products
- Hirschmann Industrial HiVision 08.1.03 prior to 08.1.04
- Hirschmann Industrial HiVision 08.2.00
- Belden/Hirschmann OT network management deployments using the affected versions
Discovery Timeline
- 2026-04-03 - CVE-2022-4987 published to the National Vulnerability Database
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2022-4987
Vulnerability Analysis
Industrial HiVision allows operators to configure external applications that the platform launches as part of management workflows. The product resolves these external application paths without sufficient sanitization, classifying the issue as Untrusted Search Path [CWE-426]. When the platform invokes a configured external application, the operating system's path resolution may load a different binary than the administrator intended. The result is local code execution within the privilege context of the launching process, which in industrial management software is often elevated. Because Industrial HiVision is commonly deployed on engineering workstations and management servers in OT networks, exploitation can provide a foothold into systems that interact with industrial switches, routers, and protection relays.
Root Cause
The root cause is insufficient validation of the resolved path for user-configured external applications. The application does not enforce a fully qualified, integrity-checked path before invoking external binaries, allowing search-order resolution to substitute attacker-controlled files. This is a classic Untrusted Search Path weakness mapped to [CWE-426].
Attack Vector
Exploitation requires local access and limited privileges, plus user interaction to trigger the external application launch. The attacker writes a malicious binary into a directory that appears earlier in the resolution path than the legitimate application, or into a directory the configuration points to without canonicalization. When an operator invokes the configured action, the platform executes the attacker's binary. Detailed exploitation context is documented in the VulnCheck Advisory for Hirschmann and the Belden Security Bulletin BSECV-2021-03.
No verified public exploit code is available for this issue, so the mechanism is described in prose rather than reproduced as synthetic code.
Detection Methods for CVE-2022-4987
Indicators of Compromise
- Unexpected executable files written into directories referenced by Industrial HiVision external application configurations
- Child processes spawned by Industrial HiVision services from non-standard or user-writable directories
- File system changes in directories that precede legitimate application paths in the OS search order
- New or modified entries in the external application configuration that point to unusual paths
Detection Strategies
- Baseline the legitimate set of binaries invoked by Industrial HiVision and alert on deviations in parent-child process relationships
- Hunt for process executions where the Industrial HiVision service is the parent and the child binary resides in a user-writable directory
- Inspect Industrial HiVision configuration files and audit changes to external application path settings
- Correlate local logon activity on management hosts with subsequent process launches by the HiVision service
Monitoring Recommendations
- Forward endpoint process telemetry from Industrial HiVision management hosts to a centralized analytics platform for retention and hunting
- Monitor file integrity for directories in the PATH and for the HiVision installation tree
- Track changes to user-configured external application entries through configuration management tooling
- Alert on privilege escalation patterns originating from the Industrial HiVision process tree
How to Mitigate CVE-2022-4987
Immediate Actions Required
- Upgrade Industrial HiVision to version 08.1.04 or a later fixed release as outlined in the Belden security bulletin
- Restrict local interactive logon to the Industrial HiVision management host to a minimal set of administrators
- Audit all user-configured external applications and replace relative paths with fully qualified, integrity-controlled paths
- Remove write permissions for non-administrative users on any directory referenced in the application search path
Patch Information
Belden has released fixed versions of Industrial HiVision that address the path hijacking issue. Refer to the Belden Security Bulletin BSECV-2021-03 for the authoritative list of fixed builds and upgrade guidance. Versions 08.1.03 prior to 08.1.04 and 08.2.00 must be upgraded to remove the vulnerable code path.
Workarounds
- Apply strict file system ACLs so only administrators can write to directories used to resolve external applications
- Remove or disable unused external application configurations within Industrial HiVision
- Enforce application allowlisting on management hosts to block execution of unapproved binaries
- Isolate Industrial HiVision management servers in a segmented OT management network with restricted local access
# Example: restrict write access on a Windows directory used in PATH resolution
icacls "C:\Program Files\Hirschmann\HiVision\ext" /inheritance:r
icacls "C:\Program Files\Hirschmann\HiVision\ext" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
