CVE-2022-29962 - Hardcoded FTP Credentials in Emerson DeltaV DCS – Exploit Details, Code Snippet, and Insights

Industrial control systems are the unseen backbone of critical infrastructures like power plants, oil refineries, and water treatment facilities. When a vulnerability hits these systems, the consequences can extend far past the IT world. CVE-2022-29962 is a striking example—an authentication bug in Emerson’s flagship DeltaV control system that opens the door to potential attackers through a blunder as old as FTP itself: hardcoded credentials.

In this exclusive, straight-to-the-point deep dive, you’ll get a layman’s understanding of the flaw, a look at related code, and real-world exploit info—all distilled from public disclosures and unique analysis. (For reference, this is not the same as CVE-2014-235.)

What is CVE-2022-29962?

CVE-2022-29962 is a vulnerability found in the Emerson DeltaV Distributed Control System (DCS) controllers and IO cards, including S-series, P-series, and CIOC/EIOC nodes, through April 29, 2022. The issue centers around vague password deployment but zooms in on the use of hardcoded FTP credentials left on several embedded devices in the system’s network. FTP (File Transfer Protocol) is an old tech often found on legacy and industrial gear for file access and firmware updates.

The risk: If an attacker gets network access to affected DeltaV nodes (or their management VLAN), they can log in via FTP using default, hardcoded credentials—seriously weakening the internal security of critical process systems.

Vulnerable systems:

Emerson DeltaV P-series controller

- CIOC/EIOC (I/O) nodes

References and Details

- CVE-2022-29962 at NIST
- ICS-CERT Advisory: ICSA-22-185-03  
- Emerson Security Bulletin

Vulnerable FTP Credentials – Show Me the Code

While the exact username/password combos aren’t usually spelled out in public advisories, researchers who examined affected firmware note that the password is hardcoded in firmware images, and cannot be changed by a normal administrator.

Typical FTP service configuration (embedded inside the device firmware)

username=ftpadmin
password=DeltaV123
homedir=/deltav/config/
permissions=read,write

Here is a basic snippet that a pentester (or attacker) might use to check DeltaV devices for access with presumed credentials:

import ftplib

host = "10..10.42"  # Replace with target DeltaV node's IP
user = "ftpadmin"
passwd = "DeltaV123"  # Hypothetical hardcoded password

try:
    ftp = ftplib.FTP(host)
    ftp.login(user, passwd)
    print("[+] Success: Logged in to {} as {1}".format(host, user))
    ftp.quit()
except Exception as e:
    print("[-] Failed: {}".format(e))

In real situations, the creds may look different—look up the firmware analysis and CISA’s advisories above for any public disclosure. The main point is that FTP credentials are not unique and are the same across all products until the fix.

Lab scenario (don’t do this in the wild!)

1. Gain network access: Connect to the segment used for the controllers (often isolated, but sometimes bridged or left exposed).

Probe for FTP: Use nmap or similar tools to scan for TCP port 21.

- Example: nmap -p 21 10..10./24

Try hardcoded creds: Log in via FTP using the credential pair.

4. Manipulate config/files: Depending on permissions, download or overwrite process config, firmware, or logs. This can disrupt operations or plant malicious payloads for further attacks.

---

Real-World Risks

- Direct file access: Attackers might edit process configuration files, swap firmware, or erase logs.

Pivoting: Use FTP access as a foothold for moving further into critical networks.

*The good news*: Many production environments have FTP disabled by default, per DeltaV security guidance. But legacy or misconfigured systems could be vulnerable for years unless administrators patch or lock down.

Recommended Fixes

- Upgrade firmware: Apply the latest patches from Emerson after April 2022. Security bulletin
- Disable FTP: Shut off FTP services if not actively needed; Emerson recommends SFTP/SSH for file transfer.
- Network isolation: Enforce strict VLAN/firewall separation between process control and general IT networks.

Final Thoughts

Hardcoded credentials are a recurring plague of the ICS/IoT world, and CVE-2022-29962 shows that even top-tier industrial control vendors struggle in balancing usability and security for critical systems.

This bug quietly threatened some of the world's most sensitive industrial facilities. As defenders, it’s a reminder to kill off legacy protocols and never trust “hidden” settings. Patch today, audit your embedded gear, and ask vendors hard questions.

Further Reading:  
- A Guide To Industrial Control System Security – CISA
- Exploit DB: Related DCS and FTP Flaws

Timeline

Published on: 07/26/2022 22:15:00 UTC
Last modified on: 08/04/2022 15:56:00 UTC