Skip to main content
(844) 422-7000

Author: Admin @CloudCentric

Delta Electronics InfraSuite Device Master

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: InfraSuite Device Master
Vulnerabilities: Deserialization of Untrusted Data, Improper Access Control, Exposed Dangerous Method or Function, Path Traversal, Improper Authentication, Command Injection, Incorrect Permission Assignment for Critical Resource, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of InfraSuite Device Master, a real-time device monitoring software, are affected:

Versions prior to 1.0.5

3.2 VULNERABILITY OVERVIEW

3.2.1    DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code.

CVE-2023-1133 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2    DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-gateway service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

CVE-2023-1139 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3    DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

CVE-2023-1145 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4    IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain an improper access control vulnerability, which could allow an attacker to retrieve Gateway configuration files to obtain plaintext credentials.

CVE-2023-1138 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5    IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.

CVE-2023-1144 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.6    IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which a low-level user could extract files and plaintext credentials of administrator users, resulting in privilege escalation.

CVE-2023-1137 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.2.7    EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.

CVE-2023-1143 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8    IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a path traversal vulnerability, which could allow an attacker to read local files, disclose plaintext credentials, and escalate privileges.

CVE-2023-1134 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

3.2.9    IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.

CVE-2023-1142 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.10    IMPROPER AUTHENTICATION CWE-287

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an unauthenticated attacker could generate a valid token, which would lead to authentication bypass.

CVE-2023-1136 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.11    IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a command injection vulnerability that could allow an attacker to inject arbitrary commands, which could result in remote code execution.

CVE-2023-1141 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.12    INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could set incorrect directory permissions, which could result in local privilege escalation.

CVE-2023-1135 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.13    MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator.

CVE-2023-1140 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Piotr Bazydlo (@chudypd) of Trend Micro and Anonymous working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics recommends users uninstall old versions of InfraSuite Device Master and reinstall the updated version 1.0.5 using the installer.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

ProPump and Controls Osprey Pump Controller

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available 
Vendor: ProPump and Controls, Inc. 
Equipment: Osprey Pump Controller 
Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of Hard-coded Password, OS Command Injection, Cross-site Scripting, Authentication Bypass using an Alternate Path or Channel, Cross-Site Request Forgery, Command Injection 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, retrieve sensitive information, modify data, cause a denial-of-service, and/or gain administrative control. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Osprey Pump Controller, pumping systems, and automated controls is affected: 

Osprey Pump Controller version 1.01 

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT ENTROPY CWE-331 

Osprey Pump Controller version 1.01 is vulnerable to a predictable weak session token generation algorithm and could aid in authentication and authorization bypass. This could allow a cyber threat actor to hijack a session by predicting the session id and gain unauthorized access to the product. 

CVE-2023-28395 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L). 

3.2.2 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598 

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Cyber threat actors could use a GET parameter to force the affected device to disclose arbitrary files and sensitive system information. 

CVE-2023-28375 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.3 USE OF HARD-CODED PASSWORD CWE-259 

Osprey Pump Controller version 1.01 has a hidden administrative account with a hardcoded password that allows full access to the web management interface configuration. The account is not visible in the Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device. 

CVE-2023-28654 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78 

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. Threat actors could exploit this vulnerability to inject and execute arbitrary shell commands through a HTTP POST parameter called by index.php script. 

CVE-2023-27886 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.5 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78 

Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability. Threat actors could exploit this vulnerability to inject and execute arbitrary shell commands through a HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts. 

CVE-2023-27394 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79 

Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to the user. Threat actors could exploit this vulnerability to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site. 

CVE-2023-28648 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). 

3.2.7 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288 

Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. A threat actor could exploit this vulnerability to create a user account without providing valid credentials. A threat actor who successfully exploits this vulnerability could gain access to the pump controller and cause disruption in operation, modify data, or shut down the controller. 

CVE-2023-28398 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.8 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 

Osprey Pump Controller version 1.01 allows users to perform certain actions via HTTP requests without performing any checks to verify the requests. This could allow an unauthorized user to perform certain actions with administrative privileges if a logged-in user visits a malicious website. 

CVE-2023-28718 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). 

3.2.9 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 

Osprey Pump Controller version 1.01 contains an unauthenticated command injection vulnerability that could allow system access with www-data permissions. 

CVE-2023-28712 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

Gjoko Krstic of Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

ProPump and Controls has not responded to requests to work with CISA to mitigate the reported vulnerabilities. Users of the affected product are encouraged to contact ProPump and Controls representative

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

VISAM VBASE Automation Base

1. EXECUTIVE SUMMARY

CVSS v3 5.5
ATTENTION: Low attack complexity 
Vendor: VISAM 
Equipment: VBASE 
Vulnerabilities: Improper Restriction of XML External Entity Reference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information from the target device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

VISAM reports these vulnerabilities affect the following VBASE products:  

VBASE Automation Base: versions prior to 11.7.5 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-41696 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.2 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-43512 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.3 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-45121 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.4 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-45468 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.5 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-45876 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.6 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-46286 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.7 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-46300 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Kimiya, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA. 

4. MITIGATIONS

VISAM recommends users update to VBASE 11.7.5 or later. The update can be performed via the VBASE Editor update dialog on machines with secure access to the internet.  Users of machines without internet access must manually update by submitting a request form to receive a download link. 

For more information, users should contact VISAM using the information provided on their contact page (German language). 

CISA recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. These vulnerabilities have low attack complexity. 

Keysight N6845A Geolocation Server

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Keysight Technologies
Equipment: N6854A Geolocation Sever
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate privileges in the affected device’s default configuration, resulting in remote code execution or deleting system files and folders.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Keysight monitoring products are affected:

N6854A Geolocation Server versions 2.4.2 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1    DESERIALIZATION OF UNTRUSTED DATA CWE-502

N6854A Geolocation Server versions 2.4.2 are vulnerable to untrusted data deserialization, which may allow a malicious actor to escalate privileges in the affected device’s default configuration and achieve remote code execution.

CVE-2023-1399 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous individual working with Trend Micro’s Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Keysight recommends upgrading the N6854A Geolocation server to version 2.4.3.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

SAUTER EY-modulo 5 Building Automation Stations

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: SAUTER 
Equipment: EY-modulo 5 Building Automation Stations 
Vulnerabilities: Cross-site Scripting, Cleartext Transmission of Sensitive Information, and Unrestricted Upload of File with Dangerous Type 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to privilege escalation, unauthorized execution of actions, a denial-of-service condition, or retrieval of sensitive information. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

SAUTER reports these vulnerabilities affect the following EY-modulo 5 Building Automation Stations:  

EY-AS525F001 with moduWeb 

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-79 

An unauthenticated remote attacker could provide a malicious link and trick an unsuspecting user into clicking on it. If clicked, the attacker could execute the malicious JavaScript (JS) payload in the target’s security context. 

CVE-2023-28650 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 CROSS-SITE SCRIPTING CWE-79 

A malicious user could leverage this vulnerability to escalate privileges or perform unauthorized actions in the context of the targeted privileged users. 

CVE-2023-28655 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 CROSS-SITE SCRIPTING CWE-79 

An unauthenticated remote attacker could force all authenticated users, such as administrative users, to perform unauthorized actions by viewing the logs. This action would also grant the attacker privilege escalation. 

CVE-2023-22300 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 

An authenticated malicious user could acquire the simple mail transfer protocol (SMTP) Password in cleartext format, despite it being protected and hidden behind asterisks. The attacker could then perform further attacks using the SMTP credentials. 

CVE-2023-27927 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.5 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 

An authenticated malicious user could successfully upload a malicious image could lead to a denial-of-service condition. 

CVE-2023-28652 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Switzerland 

3.4 RESEARCHER

Ithaca Labs of Odyssey Cyber Security reported this vulnerability to CISA. 

4. MITIGATIONS

According to SAUTER, the EY-modulo 5 Building Automation Stations product line does not support encryption on its communication protocols. As such, it is not appropriate for open networks.  

SAUTER recommends deactivating moduWeb when not in use as doing so closes the vulnerabilities related to the web server and the mail client service; users can upgrade to the latest generation modulo 6 with moduWeb Unity as the web server, which supports encrypted communication with TLS. 

SAUTER recommends users take all necessary measures to protect the integrity of building automation networks, restrict access to the devices, and leverage all appropriate means and policies to minimize risks. Users should evaluate and upgrade legacy systems to current solutions where necessary. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. 

ABB Pulsar Plus Controller

1. EXECUTIVE SUMMARY

CVSS v3 6.3
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: ABB 
Equipment: Pulsar Plus Controller  
Vulnerabilities: Use of Insufficiently Random Values, Cross-Site Request Forgery (CSRF) 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to take control of the product or execute arbitrary code.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ABB Pulsar Plus Controller, are affected: 

ABB Infinity DC Power Plant – H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415 
ABB Pulsar Plus System Controller – NE843_S – comcode 150042936 

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 

There are several fields in the web pages where a user can enter arbitrary text, such as a description of an alarm or a rectifier. These represent a cross site scripting vulnerability where JavaScript code can be entered as the description with the potential of causing system interactions unknown to the user. These issues were remediated by adding a check of every field update to reject suspicious entries. 

CVE-2022-1607 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N). 

3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330 

Every interaction with the web server requires a Session ID that is assigned to the session after a successful login. The reported vulnerability is that the Session IDs were too short (16 bits), too predictable (IDs simply incremented), and were plainly visible in the URLs of the web pages. These issues were remediated by rewriting the web server to follow recommended best practices.  

CVE-2022-26080 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Dams, Energy, Food and Agriculture, Water and Wastewater 
COUNTRIES/AREAS DEPLOYED:  Worldwide 
COMPANY HEADQUARTERS LOCATION: Switzerland 

3.4 RESEARCHER

Vlad Ionescu of Facebook Red Team X reported these vulnerabilities to ABB. 

4. MITIGATIONS

ABB has an available update resolving a privately reported vulnerability in the product versions listed above. The update is version number 5.0.0 for the application and 5.0.0 for web pages. These updates have been distributed through the appropriate product support channels with affected users.  

ABB recommends users ensure the firewall protection is properly configured. 

A workaround suggested by ABB is to use the controller’s Read/Write Enable/Disable feature for a network port (NET1,WRE=0).  

The controller can disable all writes over the network port. The factory default is to have the write capability enabled. However, some users may not want settings to be remotely changed once systems are set. This feature, when set to “Disable”, will allow no changes to be accepted. Once set, it can only be changed locally through the front panel.  

Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors.  

For more information, see ABB Security Advisory.  

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities.  

CP Plus KVMS Pro

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity 
Vendor: CP Plus 
Equipment: KVMS Pro 
Vulnerability: Insufficiently Protected Credentials 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to retrieve sensitive credentials and control the entire CCTV system.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CP Plus KVMS Pro, a software management platform, are affected: 

 KVMS Pro V2.01.0.T.190521 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522  

CP Plus KVMS Pro versions 2.01.0.T.190521 and prior are vulnerable to sensitive credentials being leaked because they are insufficiently protected.   

CVE-2023-1518 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: India 

3.4 RESEARCHER

Harshit Shukla reported this vulnerability to CISA. 

4. MITIGATIONS

CP Plus has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected product are encouraged to contact CP Plus customer support for additional information. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

This vulnerability is not exploitable remotely. No known public exploits specifically target this vulnerability. 

Schneider Electric IGSS

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Schneider Electric 
Equipment: IGSS (Interactive Graphical SCADA System)  
Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, Deserialization of Untrusted Data, Improper Limitation of a Pathname to a Restricted Directory, and Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in a denial-of-service condition, as well as the loss, addition, or modification of dashboards or report files in the IGSS Report folder. Successful exploitation of these vulnerabilities could also allow remote code execution, potentially resulting in loss of control of the supervisory control and data acquisition (SCADA) System with IGSS running in production mode.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports these vulnerabilities affect the following Data Server, Dashboard and Custom Reports modules for the IGSS (Interactive Graphical SCADA System) product:

IGSS Data Server (IGSSdataServer.exe): V16.0.0.23040 and prior 
IGSS Dashboard (DashBoard.exe): V16.0.0.23040 and prior 
Custom Reports (RMS16.dll): V16.0.0.23040 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 

A vulnerability in Schneider Electric Data Server TCP interface could allow the creation of a malicious report file in the IGSS project report directory, and this could lead to remote code execution when an unsuspecting user opens the malicious report.  

CVE-2023-27980 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A vulnerability in Schneider Electric Data Server could cause manipulation of dashboard files in the IGSS project report directory when an attacker sends specific crafted messages to the Data Server TCP port. This could lead to remote code execution if an unsuspecting user opens the malicious dashboard file. 

CVE-2023-27982 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

A vulnerability in Schneider Electric Dashboard module could cause an interpretation of malicious payload data if a malicious file is opened by an unsuspecting user. This could lead to remote code execution. 

CVE-2023-27978 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY CWE-22 

A vulnerability in Schneider Electric Custom Reports could cause remote code execution if an unsuspecting user opens a malicious report. 

CVE-2023-27981 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.5 IMPROPER INPUT VALIDATION CWE-20 

A vulnerability in Schneider Electric Custom Reports could result in macro execution if a malicious report file is opened by an unsuspecting user, potentially leading to remote code execution. 

CVE-2023-27984 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.6 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A vulnerability in Schneider Electric Data Server could grant an unauthorized user access to delete files in the IGSS project report directory if specific crafted messages are sent to the Data Server TCP port. 

CVE-2023-27977 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 

3.2.7 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A vulnerability in Schneider Electric Data Server could allow an unauthorized user to rename files in the IGSS project report directory. This could lead to a denial-of-service condition if an attacker sends specific crafted messages to the Data Server TCP port. 

CVE-2023-27979 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 

3.2.8 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 

A vulnerability in Schneider Electric Data Server TCP interface could allow deletion of reports from the IGSS project report directory. 

CVE-2023-27983 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: France 

3.4 RESEARCHER

Kimiya, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Schneider Electric. 

4. MITIGATIONS

Version 16.0.0.23041 of IGSS Data Server, Dashboard and Custom Reports (RMS) includes corrections and mitigations for these vulnerabilities and is available for download through IGSS Master > Update IGSS Software; the update is also available directly from Schneider Electric.  

Schneider Electric recommends that users use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends the use of back-ups and impact evaluating these patches in a test, development, or offline infrastructure environment. Users can contact Schneider Electric’s Customer Care Center for additional assistance. 

Additionally, if patching is not feasible, Schneider Electric recommends the following mitigations to reduce the risk of vulnerability exploitation: 

Read the Security Guideline for IGSS on securing an IGSS SCADA-installation. 
Ensure that the System Configuration module under Files, automatic backup is enabled for file backup. 
Strip report output from Excel output. In the System Configuration module under Reports, stripping of macros for the output engine can be enabled, reducing the risk of distributing an unsafe report. 
Verify that devices are isolated on a private network and that firewalls are configured with strict boundaries for devices that require remote access. 

Schneider Electric strongly recommends the following industry cybersecurity best practices. 

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. 
Install physical controls to help prevent unauthorized users from accessing industrial control and safety systems, components, peripheral equipment, and networks. 
Place all controllers in locked cabinets, and do not leave them in the “Program” mode. 
Only connect programming software to the network intended for that device. 
Scan all methods of mobile data exchange with the isolated network before use in the terminals or nodes connected to these networks. 
Properly sanitize mobile devices that have connected to another network before connecting to the intended network. 
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the internet. 
When remote access is required, use secure methods, such as virtual private networks (VPNs). 
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document

For more information, see Schneider Electric security notification SEVD-2023-073-04

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. 

RoboDK

1. EXECUTIVE SUMMARY

CVSS v3 7.9
ATTENTION: Low attack complexity  
Vendor: RoboDK 
Equipment: RoboDK 
Vulnerability: Incorrect Permission Assignment for Critical Resource 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate privileges, which could allow attackers to write files to the RoboDK directory and achieve code execution. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of RoboDK, a programming and simulation software, are affected: 

RoboDK v5.5.3 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PERMISSION ASSIGNMENT OR CRITICAL RESOURCE CWE-732 

RoboDK versions 5.5.3 and prior contain an insecure permission assignment to critical directories vulnerability, which could allow a local user to escalate privileges and write files to the RoboDK process and achieve code execution.  

CVE-2023-1516 has been assigned to this vulnerability. A CVSS v3 base score of 7.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing  
COUNTRIES/AREAS DEPLOYED: Worldwide  
COMPANY HEADQUARTERS LOCATION: Canada 

3.4 RESEARCHER

Noam Moshe of Claroty reported this vulnerability to CISA. 

4. MITIGATIONS

RoboDK has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected product are encouraged to contact RoboDK support for additional information. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. 

How To Enable Auto Archiving in Microsoft 365 Email Accounts in Exchange Online

How To Enable Auto Archiving in Microsoft 365 Email Accounts in Exchange Online

  1. Connect to Exchange Online PowerShell

    • Open Powershell (with admin priviliges)
    • Enter Connect-ExchangeOnline
    • Log in with an account that has administrator privileges for your Microsoft 365 tenant

Microsoft 365 sign in

    • Run the following command in Exchange Online PowerShell to enable auto-expanding archiving for a specific user. As previously explained, the user’s archive mailbox (main archive) must be enabled before you can turn on auto-expanding archiving for that user.

Enable-Mailbox <user mailbox> -AutoExpandingArchive

Alternatively, you many run Set-OrganizationConfig -AutoExpandingArchive to enable auto-expanding archiving for the entire organization.

Reference: Enable auto-expanding archiving – Microsoft Purview (compliance) | Microsoft Learn

Continue reading