Skip to main content
(844) 422-7000

Johnson Controls Software House C-CURE 9000

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.7
ATTENTION: Low attack complexity
Vendor: Johnson Controls
Equipment: Software House C●CURE 9000
Vulnerability: Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to access credentials used for access to the application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Software House C●CURE 9000, a security management system, are affected:

Software House C●CURE 9000: v3.00.2

3.2 Vulnerability Overview

3.2.1 Insertion of Sensitive Information into Log File CWE-532

Under certain circumstances the Microsoft Internet Information Server (IIS) used to host the C●CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C●CURE 9000 or prior versions.

CVE-2024-0912 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-0912. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Johnson Controls, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Johnson Controls recommends the following:

Update Software House C●CURE 9000 to version 3.00.2 CU02 or 3.00.3
Change the password for the impacted windows accounts.
Delete the api.log log file (or remove instances of passwords from the log file with a text editor) located at “C:Program Files (x86)TycovictorWebServicesvictorWebsiteLogsarchives”

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-04 v1

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

May 14, 2024: Initial Publication

Mitsubishi Electric Multiple FA Engineering Software Products

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.0
ATTENTION: Low attack complexity
Vendor: Mitsubishi Electric
Equipment: Multiple FA Engineering Software Products
Vulnerabilities: Improper Privilege Management, Uncontrolled Resource Consumption, Out-of-bounds Write, Improper Privilege Management

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports the following versions of FA Engineering Software Products are affected:

CPU Module Logging Configuration Tool: All versions
CSGL (GX Works2 connection configuration): All versions
CW Configurator: All versions
Data Transfer: All versions
Data Transfer Classic: All versions
EZSocket (communication middleware product for Mitsubishi Electric partner companies): All versions
FR Configurator SW3: All versions
FR Configurator2: All versions
GENESIS64: All versions
GT Designer3 Version1 (GOT1000): All versions
GT Designer3 Version1 (GOT2000): All versions
GT SoftGOT1000 Version3: All versions
GT SoftGOT2000 Version1: All versions
GX Developer: All versions
GX LogViewer: All versions
GX Works2: All versions
GX Works3: All versions
iQ Works (MELSOFT Navigator): All versions
MI Configurator: All versions
Mitsubishi Electric Numerical Control Device Communication Software (FCSB1224): All versions
MR Configurator (SETUP221): All versions
MR Configurator2: All versions
MRZJW3-MC2-UTL: All versions
MX Component: All versions
MX OPC Server DA/UA (Software packaged with MC Works64): All versions
PX Developer/Monitor Tool: All versions
RT ToolBox3: All versions
RT VisualBox: All versions
Setting/monitoring tools for the C Controller module (SW4PVC-CCPU): All versions
SW0DNC-MNETH-B: All versions
SW1DNC-CCBD2-B: All versions
SW1DNC-CCIEF-J: All versions
SW1DNC-CCIEF-B: All versions
SW1DNC-MNETG-B: All versions
SW1DNC-QSCCF-B: All versions
SW1DND-EMSDK-B All versions

3.2 Vulnerability Overview

3.2.1 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.

CVE-2023-51776 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2023-51776. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 Uncontrolled Resource Consumption CWE-400

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2023-51777 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-51777. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 Out-of-bounds Write CWE-787

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2023-51778 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-51778. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 Uncontrolled Resource Consumption CWE-400

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-22102 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22102. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 Out-of-bounds Write CWE-787

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-22103 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22103. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-22104 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22104. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.7 Uncontrolled Resource Consumption CWE-400

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-22105 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22105. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.8 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.

CVE-2024-22106 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22106. A base score of 4.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.

CVE-2024-25086 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-25086. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.10 Uncontrolled Resource Consumption CWE-400

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.

CVE-2024-25087 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-25087. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.11 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.

CVE-2024-25088 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-25088. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.12 Improper Privilege Management CWE-269

If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.

CVE-2024-26314 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-26314. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Jongseong Kim, Byunghyun Kang, Sangjun Park, Yunjin Park, Kwon Yul, and Seungchan Kim reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:

Restrict physical access to the computer using the product.
Install an antivirus software in your computer using the affected product.
Don’t open untrusted files or click untrusted links.

For additional information see Mitsubishi Electric advisory 2024-001.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

May 14, 2024: Initial Publication

Rockwell Automation FactoryTalk Remote Access

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: Factory Talk Remote Access
Vulnerability: Unquoted Search Path or Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to enter a malicious executable and run it as a system user, resulting in remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation’s FactoryTalk Remote Access are affected:

FactoryTalk Remote Access: v13.5.0.174 and prior

3.2 Vulnerability Overview

3.2.1 UNQUOTED SEARCH PATH OR ELEMENT CWE-428

An unquoted executable path exists in the affected products, possibly resulting in remote code execution if exploited. While running the FTRA installer package, the executable path is not properly quoted, which could allow a threat actor to enter a malicious executable and run it as a system user. A threat actor needs admin privileges to exploit this vulnerability.

CVE-2024-3640 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3640. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends user to upgrade to v13.6.

For additional information, refer to Rockwell Automation’s security bulletin.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

May 14, 2024: Initial Publication

alpitronic Hypercharger EV Charger

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: alpitronic
Equipment: Hypercharger EV charger
Vulnerability: Use of Default Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker disabling the device, bypassing payment, or accessing payment data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hypercharger EV charger, a high power charging station, are affected:

Hypercharger EV charger: all versions

3.2 Vulnerability Overview

3.2.1 USE OF DEFAULT CREDENTIALS CWE-1392

If misconfigured, the charging devices can expose a web interface protected by authentication. If the default credentials are not changed, an attacker can use public knowledge to access the device as an administrator.

CVE-2024-4622 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2024-4622. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

Hanno Böck reported these vulnerabilities to CISA.

4. MITIGATIONS

alpitronic recommends users change the default credentials for all charging devices.

alpitronic advises that the interface should be connected only to internal segregated and access-controlled networks and not exposed to the public internet/web.

When informed of these vulnerabilities, alpitronic, in conjunction with and/or on behalf of affected clients, disabled the interface on any exposed devices and all clients were contacted directly and reminded that the interface is not intended to be visible on the public Internet and that default passwords should be changed.

alpitronic are also applying mitigations to all devices in the field and to new devices in production. New devices will come with unique passwords. Devices using the default password will be automatically assigned new unique passwords, or at first access if the device has not yet been installed. Devices with the default passwords already changed will not be affected. New passwords can be obtained by scanning the QR-Code inside the charger or in DMS portal hyperdoc. Contact Hypercharger support with any questions about newly assigned passwords.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

May 9, 2024: Initial Publication

Delta Electronics InfraSuite Device Master

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: InfraSuite Device Master
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

InfraSuite Device Master: Versions 1.0.10 and prior

3.2 Vulnerability Overview

3.2.1 Deserialization of Untrusted Data CWE-502

Delta Electronics InfraSuite Device Master contains a deserialization of untrusted data vulnerability because it runs a version of Apache ActiveMQ (5.15.2) which is vulnerable to CVE-2023-46604.

CVE-2023-46604 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-46604. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

An anonymous researcher working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics states that this issue was fixed by version 1.0.11 released in December 2023. Delta recommends updating to version 1.0.11 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

May 09, 2024: Initial Publication

Rockwell Automation FactoryTalk Historian SE

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk Historian SE
Vulnerabilities: Missing Release of Resource after Effective Lifetime, Improper Check or Handling of Exceptional Conditions

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation FactoryTalk Historian SE, a data management application, are affected:

FactoryTalk Historian SE: Versions v9.0 and prior

3.2 Vulnerability Overview

3.2.1 MISSING RELEASE OF RESOURCE AFTER EFFECTIVE LIFETIME CWE-772

FactoryTalk Historian SE utilizes the AVEVA PI Server, which contains a vulnerability that could allow an unauthenticated user to cause a partial denial-of-service condition in the PI Message Subsystem of a PI Server by consuming available memory. This vulnerability exists in FactoryTalk Historian SE versions 9.0 and earlier. Exploitation of this vulnerability could cause FactoryTalk Historian SE to become unavailable, requiring a power cycle to recover it.

CVE-2023-31274 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-31274. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H).

3.2.2 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703

FactoryTalk Historian SE uses the AVEVA PI Server, which contains a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition. This vulnerability exists in FactoryTalk Historian SE versions 9.0 and earlier. Exploitation of this vulnerability could cause FactoryTalk Historian SE to become unavailable, requiring a power cycle to recover it.

CVE-2023-34348 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-34348. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation has released product updates addressing this vulnerability:

FactoryTalk Historian SE: Users using the affected software are encouraged to install FactoryTalk Historian SE version 9.01 or higher as soon as feasible.

For more information, see Rockwell Automation’s article.(Login Required)

For more information about the AVEVA PI and AVEVA Edge products, see AVEVA-2024-001 and AVEVA-2024-002

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

May 09, 2024: Initial Publication

SUBNET Substation Server

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Low attack complexity
Vendor: Subnet Solutions Inc.
Equipment: Substation Server
Vulnerabilities: Reliance on Insufficiently Trustworthy Component

2. RISK EVALUATION

Successful exploitation of the vulnerabilities in components used by Substation Server could allow privilege escalation, denial-of-service, or arbitrary code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

SUBNET Solutions reports that the following products use components with vulnerabilities:

Substation Server: 2.23.10 and prior

3.2 Vulnerability Overview

3.2.1 RELIANCE ON INSUFFICIENTLY TRUSTWORTHY COMPONENT CWE-1357

SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in Substation Server.

CVE-2024-26024 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-26024. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

SUBNET Solutions reported these vulnerabilities to CISA.

4. MITIGATIONS

Subnet Solutions has fixed these issues by identifying and replacing out of date libraries used in previous versions of Substation Server. Users are advised to update to version 2.23.11 or newer. To obtain this software, contact Subnet Solution’s Customer Service.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

May 7, 2024: Initial Publication

PTC Codebeamer

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: PTC
Equipment: Codebeamer
Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to inject malicious code in the application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PTC Codebeamer, an application lifecycle management platform, are affected:

Codebeamer: version 22.10 SP9 and prior
Codebeamer: version 2.0.0.3 and prior
Codebeamer: version 2.1.0.0

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

PTC Codebeamer is vulnerable to a cross site scripting vulnerability that could allow an attacker to inject and execute malicious code.

CVE-2024-3951 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-3951. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Information Technology, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Marek Holka (ETAS) reported this vulnerability to PTC.

4. MITIGATIONS

PTC released the following resolutions:

Codebeamer: Update to version 22.10 SP10 or later
Codebeamer: Update to version 2.0.0.4 or later
Codebeamer: Update to version 2.1.0.1 or later

For more information, see PTC’s customer support article.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

May 07, 2024: Initial Publication

Delta Electronics DIAEnergie

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: DIAEnergie
Vulnerabilities: SQL Injection, Path Traversal

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated attacker with limited privileges to escalate privileges, retrieve confidential information, upload arbitrary files, backdoor the application, and compromise the system on which DIAEnergie is deployed.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics DIAEnergie, an industrial energy management system, are affected:

DIAEnergie: Versions v1.10.00.005

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89

Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the script Handler_CFG.ashx. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.

CVE-2024-34031 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-34031. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89

Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.

CVE-2024-34032 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-34032. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE-22

Delta Electronics DIAEnergie has insufficient input validation which makes it possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.

CVE-2024-34033 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-34033. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics recommends users update to DIAEnergie v1.10.01.004 to mitigate these vulnerabilities. Users can request this version of DIAEnergie from Delta Electronics’ regional sales or agents.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

May 02, 2024: Initial Publication

CyberPower PowerPanel

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: CyberPower
Equipment: PowerPanel
Vulnerabilities: Use of Hard-coded Password, Relative Path Traversal, Use of Hard-coded Credentials, Active Debug Code, Storing Passwords in a Recoverable Format, Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), Use of Hard-coded Cryptographic Key, Improper Authorization

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerPanel, a business management software, are affected:

PowerPanel: 4.9.0 and prior

3.2 Vulnerability Overview

3.2.1 USE OF HARD-CODED PASSWORD CWE-259

The application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.

CVE-2024-34025 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF HARD-CODED PASSWORD CWE-259

The application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.

CVE-2024-34025 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.3 RELATIVE PATH TRAVERSAL CWE-23

A specially crafted Zip file containing path traversal characters can be imported to the server, which allows file writing to the server outside the intended scope, and could allow an attacker to achieve remote code execution.

CVE-2024-33615 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 USE OF HARD-CODED CREDENTIALS CWE-798

Hard-coded credentials are used by the platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel application.

CVE-2024-32053 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.5 ACTIVE DEBUG CODE CWE-489

Hard-coded credentials for the test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.

CVE-2024-32047 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.6 STORING PASSWORDS IN A RECOVERABLE FORMAT CWE-257

The key used to encrypt passwords stored in the database can be found in the application code, allowing the passwords to be recovered.

CVE-2024-32042 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

3.2.7 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

An attacker with certain MQTT permissions can create malicious messages to all Power Panel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.

CVE-2024-31856 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

The devices Power Panel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.

CVE-2024-31410 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.2.9 IMPROPER AUTHORIZATION CWE-285

Certain MQTT wildcards are not blocked on the system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.

CVE-2024-31409 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.

4. MITIGATIONS

CyberPower has released a new version of PowerPanel that fixes these vulnerabilities:

PowerPanel Business: Update to v4.10.1 or later version

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

May 02, 2024: Initial Publication