1. EXECUTIVE SUMMARY

CVSS v3 8.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: BirdDog
Equipment: STUDIO R3, 4K QUAD, MINI, A300 EYES
Vulnerabilities: Cross-Site Request Forgery, Use of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to remotely execute code or obtain unauthorized access to the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following BirdDog camera and encoder versions are affected:

4K QUAD:  Versions 4.5.181 and 4.5.196
MINI: Version 2.6.2
A300 EYES: Version 3.4
STUDIO R3: Version 3.6.4

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files.

CVE-2023-2505 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials.

CVE-2023-2504 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Australia

3.4 RESEARCHER

Alan Cao reported these vulnerabilities to CISA.

4. MITIGATIONS

BirdDog has released a firmware patch for this issue and users are encouraged to update their devices by going to BirdDog’s download page here.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Solid Edge
Vulnerabilities: NULL Pointer Dereference, Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or crash the application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

Solid Edge SE2023: All versions prior to V223.0 Update 3
Solid Edge SE2023: All versions prior to V223.0 Update 2

3.2 VULNERABILITY OVERVIEW

3.2.1 NULL POINTER DEREFERENCE CWE-476 

STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null pointer dereference, which could allow an attacker to deny application usage when reading a specially constructed file, resulting in an application crash. 

CVE-2023-0973 has been assigned to this vulnerability. A CVSS v3 base score of 2.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L). 

3.2.2 OUT-OF-BOUNDS READ CWE-125 

Affected applications contain an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted OBJ file. This vulnerability could allow an attacker to disclose sensitive information. 

CVE-2023-30985 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). 

3.2.3 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

Affected applications contain a memory corruption vulnerability while parsing specially crafted STP files. This could allow an attacker to execute code in the context of the current process. 

CVE-2023-30986 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Trend Micro Zero Day Initiative reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens identified the following specific workarounds and mitigations users can apply to reduce risk: 

Solid Edge SE2023: Update to V223.0 Update 3 or later version.
Solid Edge SE2023: Update to V223.0 Update 2 or later version.
Avoid opening untrusted files from unknown sources in Solid Edge.

For further inquiries on security vulnerabilities in Siemens products, users should contact Siemens.  

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage. 

For more information, see the associated Siemens security advisory SSA-932528 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

These vulnerabilities are not exploitable remotely. 

1. EXECUTIVE SUMMARY

CVSS v3 7.2 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC Cloud Connect 7
Vulnerabilities: Improper Neutralization of Special Elements used in a Command (‘Command Injection’), Use of Hard-coded Password, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Missing Standardized Error Handling Mechanism, Exposure of Sensitive Information to an Unauthorized Actor, Files or Directories Accessible to External Parties

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected: 

SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions V2.0 to V2.1
SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions prior to V2.1
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions V2.0 to V2.1
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions prior to V2.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 

The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. 

CVE-2023-28832 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). 

3.2.2 USE OF HARD-CODED PASSWORD CWE-259 

The affected device uses a hard-coded password to protect the diagnostic files. This could allow an authenticated attacker to access protected data. 

CVE-2023-29103 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 

The filename in the upload feature of the web-based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to overwrite any file the Linux user `ccuser` has write access to, or to download any file the Linux user `ccuser` has read-only access to. 

CVE-2023-29104 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H). 

3.2.4 MISSING STANDARDIZED ERROR HANDLING MECHANISM CWE-544 

The affected device is vulnerable to a denial-of-service condition while parsing a random (non-JSON) MQTT payload. This could allow an attacker who can manipulate the communication between the MQTT broker and the affected device to cause a denial-of-service condition. 

CVE-2023-29105 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 

The export endpoint is accessible via REST application programming interface (API) without authentication. This could allow an unauthenticated remote attacker to download the files available via the endpoint. 

CVE-2023-29106 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 

3.2.6 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552 

The export endpoint discloses some undocumented files. This could allow an unauthenticated remote attacker to gain access to additional information resources. 

CVE-2023-29107 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 

3.2.7 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 

The filename in the upload feature of the web-based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to write any file with the extension `.db`. 

CVE-2023-29128 has been assigned to this vulnerability. A CVSS v3 base score of 3.8 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.1 or later
SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.1 or later
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.1 or later
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.1 or later

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage. 

For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-555292 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities.  

1. EXECUTIVE SUMMARY

CVSS v3 8.4 
ATTENTION: Exploitable from adjacent network/low attack complexity
Vendor: Siemens
Equipment: SCALANCE W1750D
Vulnerabilities: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information or steal the unsuspecting user’s session. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected: 

SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions
SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions
SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target’s MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (e.g., authentication frames or re-association frames) to remove the target’s original security context. This interception occurs because the specifications do not require an access point to purge its’ transmit queue before removing a client’s pairwise encryption key.

CVE-2022-47522 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been assigned. the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to their Operational Guidelines for Industrial Security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens Industrial Security website. 

For further inquiries on security vulnerabilities in Siemens products, visit Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-516174 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Third-party components libexpat and libcurl in SINEC NMS
Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation these vulnerabilities could allow an attacker to impact SINEC NMS confidentiality, integrity, and availability. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products are affected:

Third-Party components used in SINEC NMS: All versions prior to V1.0.3.1

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send—even when the `CURLOPT_POSTFIELDS` option has been set—if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. 

CVE-2022-32221 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). 

3.2.2 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286 

When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that, when later sent back to a HTTP server, might cause the server to return 400 responses, effectively allowing a “sister site” to deny service to all “siblings.” 

CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121

Curl could be directed to parse a `.netrc` file for credentials. If that file ends in a line with 4095 consecutive non-white space letters and no newline, curl would first read past the end of the stack-based buffer and, if the read works, write a zero byte beyond its boundary. This could  cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, then this flaw could be used to cause denial-of-service condition. 

CVE-2022-35260 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). 

3.2.4 USE AFTER FREE CWE-416

Libexpat before 2.4.9 has a use-after-free vulnerability in the doContent function in xmlparse.c. 

CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.5 USE AFTER FREE CWE-416

Curl can be asked to tunnel almost all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. When denied to tunnel the specific protocols SMB or TELNET, curl could use a heap-allocated struct after freed in its transfer shutdown code path. 

CVE-2022-43552 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.6 USE AFTER FREE CWE-416

In libexpat through 2.4.9, there is a use after free vulnerability caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. 

CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.7 DOUBLE FREE CWE-415

Curl before 7.86.0 has a double free vulnerability. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, such as 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. 

CVE-2022-42915 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.8 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

In curl before 7.86.0, the HSTS check could be bypassed by tricking it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. 

CVE-2022-42916 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). 

3.2.9 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed by tricking it into using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion, such as using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E). Then, in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the information IDN encoded but look for it IDN decoded. 

CVE-2022-43551 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA. 

4. MITIGATIONS

Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: 

SINEC NMS: Update to V1.0.3.1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage. 

For more information, see the associated Siemens security advisory SSA-892048 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities. 

1. EXECUTIVE SUMMARY

CVSS v3 9.9 
ATTENTION: Exploitable remotely/low attack complexity
Vendor:  Siemens
Equipment: Siveillance Video
Vulnerabilities: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute code on the affected system. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports these vulnerabilities affect the following IP video management software: 

Siveillance Video 2020 R2: all versions prior to V20.2 HotfixRev14
Siveillance Video 2020 R3: all versions prior to V20.3 HotfixRev12
Siveillance Video 2021 R1: all versions prior to V21.1 HotfixRev12
Siveillance Video 2021 R2: all versions prior to V21.2 HotfixRev8
Siveillance Video 2022 R1: all versions prior to V22.1 HotfixRev7
Siveillance Video 2022 R2: all versions prior to V22.2 HotfixRev5
Siveillance Video 2022 R3: all versions prior to V22.3 HotfixRev2
Siveillance Video 2023 R1: all versions prior to V23.1 HotfixRev1

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

The Event Server component of affected Siemens Siveillance Video applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. 

CVE-2023-30898 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

The Management Server component of affected Siemens Siveillance Video applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. 

CVE-2023-30899 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities

COUNTRIES/AREAS DEPLOYED: Worldwide

COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Milestone PSIRT reported these vulnerabilities to Siemens. 

4. MITIGATIONS

Siemens has released updates for several affected products and recommends updating to the latest versions. The provided cumulative hotfix releases include the fixes for both Event Server (ES) and Management Server (MS). Ensure to apply the fixes on all relevant deployed servers: 

Siveillance Video 2020 R2: Update to V20.2 HotfixRev14 or later version
Siveillance Video 2020 R3: Update to V20.3 HotfixRev12 or later version
Siveillance Video 2021 R1: Update to V21.1 HotfixRev12 or later version
Siveillance Video 2021 R2: Update to V21.2 HotfixRev8 or later version
Siveillance Video 2022 R1: Update to V22.1 HotfixRev7 or later version
Siveillance Video 2022 R2: Update to V22.2 HotfixRev5 or later version
Siveillance Video 2022 R3: Update to V22.3 HotfixRev2 or later version
Siveillance Video 2023 R1: Update to V23.1 HotfixRev1 or later version

As a general security measure Siemens strongly recommends protecting network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT environment. 

For additional information regarding this vulnerability, see the related Milestone security advisory.

For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT.  

For more information, see the associated Siemens security advisory SSA-789345 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Hitachi Energy 
Equipment: Modular Switchgear Monitoring (MSM) 
Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain user access credentials of the MSM web interface or cause a denial-of-service condition. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi Energy products are affected: 

MSM: 2.2.5 and earlier 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 

The code that performs password matching when using ‘basic’ HTTP authentication does not use a constant-time memcmp and has no rate-limiting. An unauthenticated network attacker could brute-force the HTTP basic password byte-by-byte, by recording the webserver’s response time until the unauthorized (401) response. 

CVE-2021-43298 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.2 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294 

The HTTP digest authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. An unauthenticated remote attacker could bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel. 

CVE-2020-15688 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94 

An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (ex: goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP host header sent by an attacker. This could potentially be used in a phishing attack. 

CVE-2019-16645 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N). 

3.2.4 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and a potential denial-of-service condition, as demonstrated by a single colon on a line. 

CVE-2019-12822 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.5 NULL POINTER DEREFERENCE CWE-476 

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11. 

CVE-2018-15504 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.6 NULL POINTER DEREFERENCE CWE-476 

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted “host” header field may cause a NULL pointer dereference resulting in a denial-of-service condition, as demonstrated by the lack of a trailing ‘]’ character in an IPv6 address. 

CVE-2018-15505 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.7 INSUFFICIENT ENTROPY CWE-331 

Websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy due to the nonce calculation relying on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP digest access authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1).  

Note: 2.1.8 is a version from 2003; however, the affected websda.c code appears in derivative works that may be used in 2021. Recent GoAhead software is unaffected. 

CVE-2021-41615 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.8 INSUFFICIENT ENTROPY CWE-331 

An allocation of resources without limits or throttling vulnerability exists in curl

The use of such a decompression chain could result in a “malloc bomb”, making curl spend enormous amounts of allocated heap memory, or try to, and return out of memory errors. 

CVE-2023-23916 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Switzerland 

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA. 

4. MITIGATIONS

MSM is not intrinsically designed nor intended to be directly connected to the internet. Users should disconnect the device from any internet-facing network.  

Hitachi Energy suggests adopting user access management and antivirus protection software equipped with the latest signature rules on hosts with the Manufacturing Message Specification (MMS) Client application installed. Users can implement the operating system user access management functionality, if supported, to limit the probability of unauthorized access followed by rogue commands at the operating system level via MMS client application. 

Also, Hitachi Energy recommends following the hardening guidelines published by “The Center for Internet Security (CIS)” to protect the host operating system of machines connecting with MSM. These guidelines help prevent the lateral movement of the attack vector into MSM via these connected devices. Some examples for Windows based computers include: 

CIS Microsoft Windows Desktop Benchmarks (cisecurity.org) 
CIS Microsoft Windows Server Benchmarks (cisecurity.org) 

According to Hitachi Energy, users should follow recommended security practices and firewall configurations to help protect a network from outside attacks, including: 

Physically protecting systems from direct access by unauthorized personnel. 
Ensuring monitoring systems have no direct connections to the internet. 
Separating monitoring system networks from other networks using a firewall system with a minimal number of ports exposed 

Hitachi advises that monitoring systems should not be used for internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for malware prior to connection to monitoring systems. 

For more information, see Hitachi Energy advisory 8DBD000154. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities. 

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Low attack complexity 
Vendor: Mitsubishi Electric 
Equipment: Factory Automation (FA) Products 
Vulnerabilities: Dependency on Vulnerable Third-Party Component 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a malicious attacker to escalate privileges, disclose parameter information in the affected products, and cause a denial-of-service condition. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric Factory Automation products are affected: 

MELIPC Series 
MI5122-VM: All versions 
MI1002-W: All versions 
MI2012-W: All versions 
MI3321G-W: All versions 
MI3315G-W: All versions 

MELSEC iQ-R Series 
R102WCPU-W: All versions 

MELSEC Q Series 
Q24DHCCPU-V: All versions 
Q24DHCCPU-VG: All versions 
Q24DHCCPU-LS: All versions  
Q26DHCCPU-LS: All versions 

3.2 VULNERABILITY OVERVIEW

3.2.1 DEPENDENCY ON VULNERABLE THIRD-PARTY COMPONENT CWE-1395 

These vulnerabilities in Intel products could allow a malicious attacker to escalate privileges, disclose parameter information, and cause a denial-of-service condition in Mitsubishi Electric MELIPC, MELSEC iQ-R, and MELSEC Q Series products. 

CVE-2020-24489, CVE-2020-8670, CVE-2020-24512, CVE-2021-0146, CVE-2021-0089, CVE-2021-0086, CVE-2021-0127, CVE-2021-33150, CVE-2022-0002 has been assigned to these vulnerabilities. A worst-case CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Japan 

3.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA. 

4. MITIGATIONS

Mitsubishi Electric recommends users refer to the following Intel advisories to assist in mitigating these vulnerabilities: 

CVE-2020-8670—INTEL-SA-00463 
CVE-2020-24489—INTEL-SA-00442 
CVE-2020-24512—INTEL-SA-00464 
CVE-2021-0127—INTEL-SA-00532 
CVE-2021-0146—INTEL-SA-00528 
CVE-2021-0086—INTEL-SA-00516 
CVE-2021-0089—INTEL-SA-00516 
CVE-2021-33150—INTEL-SA-00609 
CVE-2022-0002—INTEL-SA-00598 

For additional information, refer to Mitsubishi Electric’s bulletin. 

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities: 

Restrict physical access to the product from unauthorized users. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available 
Vendor: Scada-LTS 
Equipment: Scada-LTS 
Vulnerability: Cross-site Scripting 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Scada-LTS, an open-source HMI, are affected: 

Scada-LTS Versions 2.7.4 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79 

Scada-LTS versions 2.7.4 and prior are vulnerable to cross-site scripting. This could allow a remote attacker to craft malicious URLs that may execute arbitrary code in an authenticated user’s browser and print sensitive information. 

CVE-2015-1179 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Open-source Project 

3.4 RESEARCHER

Hunter Wodzenski reported this vulnerability to CISA. 

4. MITIGATIONS

Scada-LTS has fixed this vulnerability and Scada-LTS users are recommended to upgrade to version 2.7.4.1 or later. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Keysight 
Equipment: N8844A Data Analytics Web Service 
Vulnerability: Deserialization of Untrusted Data 

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to remote code execution. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Keysight reports this vulnerability affects the following data analytics web service software:  

N8844A Data Analytics Web Service: Version 2.1.7351 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

Keysight N8844A Data Analytics Web Service deserializes untrusted data without sufficiently verifying the resulting data will be valid. 

CVE-2023-1967 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

An anonymous researcher working with Trend Micro Zero Day Initiative reported this vulnerability to CISA. 

4. MITIGATIONS

Keysight N8844A Data Analytics Web Service is discontinued and is no longer available to download. Keysight made available a replacement product that is not vulnerable to the ZDI discovered exploit. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.