CVE CyberSecurity Database News

CVE-2022-40976 - How a ZIP-Slip Path Traversal Bug Hit Pilz Devices — And How Attackers Exploit It

Poster -

In 2022, a dangerous vulnerability—CVE-2022-40976—was discovered in several industrial products from Pilz, a global leader in automation safety solutions. This vulnerability may sound technical, but it’s rooted in a simple programming mistake, and it leaves systems open to *arbitrary file writes*—one of the most critical security flaws out there.

In this long read, I’ll walk you through

* What CVE-2022-40976 is, in plain English
* How the “ZIP-Slip” attack works
* Why Pilz products were exposed
* An example exploit (with code!)
* How to keep your industrial control systems safe
* Original references for deeper technical details

What Is CVE-2022-40976?

CVE-2022-40976 is a path traversal vulnerability in several Pilz devices—including but not limited to PNOZmulti Configurator and related software.

In simpler terms:
A local, unauthenticated attacker (meaning: someone does not need to log in first) could craft a zipped configuration file that, when imported into Pilz products, could overwrite any file on the device—*not* just expected configs.

Pilz’s security advisory:
https://www.pilz.com/en-US/support/whitepaper/articles/230308

The flaw has a CVSS score of 8.2 (High severity). It is also referenced here at NVD:
https://nvd.nist.gov/vuln/detail/CVE-2022-40976

What Is “ZIP-Slip” and Why Is It Dangerous?

ZIP-Slip is a “classic” trick that dates back years. Insecure code *unzips* files without properly checking their paths, letting a hacker write files to anywhere—not just a “safe” folder.

Here’s the heart of it

* Attackers put “../” (dot-dot-slash) path traversals in file names inside the zip file
* Unzip routines extract blindly, so ../../../../etc/passwd ends up placing files *anywhere* — even in system folders!

When this happens inside critical devices or applications, attackers can

* Overwrite system/application files
* Plant malicious code
* Destroy configurations or settings
* Cause denial-of-service

This is why ZIP-Slip keeps showing up in security advisories.

Why Did Pilz Devices Get Exposed?

Many industrial controller and PLC software tools use zipped project/configuration files—they’re easy to export, import, and backup. But if the software doesn’t *sanitize* what’s inside those archives, it’s a prime ZIP-Slip target.

CVE-2022-40976 affects scenarios where

* A maintenance worker, engineer, or even *malicious local user* uploads/imports a configuration ZIP to a Pilz system.
* The system extracts all files, trusting what’s inside.
* Malicious ZIP files with “../” paths get extracted outside the allowed folder.

Step-by-Step: How an Exploit Works

Let’s see how an attacker would use this vulnerability.

1. Build a Malicious ZIP File

Suppose the target system stores imported project files in C:\ProgramData\Pilz\Configs\.

An attacker crafts a ZIP with this structure

evil.zip
|
|- my_config.xml
|- ../../../../Windows/System32/drivers/etc/hosts

Here, the second file’s path has: FOUR “../” segments—so, when unzipped carelessly, it ends up outside Configs... anywhere the attacker wants.

Generating such a ZIP in Python

import zipfile

with zipfile.ZipFile('evil.zip', 'w') as zf:
    zf.writestr('my_config.xml', '<safe>Legit file</safe>')
    # The dangerous file:
    zf.writestr('../../../../Windows/System32/drivers/etc/hosts', 'Malicious hosts content\n')

*The above creates a “ZIP slip” archive that will overwrite the Windows hosts file if extracted incorrectly.*

2. Deliver the Malicious Config

The attacker sends or places this ZIP on the target system, perhaps using a USB stick, shared folder, or social engineering (“Here’s an urgent config update!”).

### 3. Trigger Unzip/Import — and Arbitrary File Write

The Pilz software imports ZIPs without checking for path traversal. Every file is extracted—directory traversal and all.

Result: System files outside the intended directory are overwritten by attacker content.

Privilege Escalation: Overwrite settings files, weaken security, or drop exploit code

- Sabotage: Damage the safety of production lines by replacing logic/config files

How To Protect Against ZIP-Slip? (Defensive Coding)

If you’re a developer or sysadmin, rule #1 is: Never trust ZIP file paths.

Safe extraction routine (Python example)

import os
import zipfile

def safe_extract(zip_path, extract_dir):
    with zipfile.ZipFile(zip_path, 'r') as zf:
        for member in zf.namelist():
            # Compute absolute extraction path
            abs_path = os.path.abspath(os.path.join(extract_dir, member))
            if not abs_path.startswith(os.path.abspath(extract_dir)):
                raise Exception('ZIP-Slip detected: %s' % member)
            zf.extract(member, extract_dir)

This ensures *no* file in the archive escapes the extraction directory, no matter how many ../ are used.

Original Advisory from Pilz:

Pilz Product Security Advisory PSA-2023-03

- Mitre/NVD Entry:
CVE-2022-40976 – nvd.nist.gov

OWASP “ZIP-Slip” Description:

OWASP Zip-Slip

Research writeup that popularized ZIP-Slip:

Snyk - Zip Slip Vulnerability

Final Thoughts

CVE-2022-40976 is a reminder that simple mistakes—in this case, handling ZIP file paths—can put even the most trusted hardware at risk. If you use Pilz products, make sure every update is applied, and never import ZIPs unless you know *exactly* where they came from.

For coders: filtering for path traversal isn’t optional. Defend every file extraction, or someday you’ll be in one of these reports.

Timeline

Published on: 11/24/2022 10:15:00 UTC