Skip to main content
(844) 422-7000

Siemens SIPROTEC 5 Devices

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Siemens 
Equipment: SIPROTEC 5 Devices 
Vulnerability: NULL Pointer Dereference 

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial-of-service condition of the target device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

SIPROTEC 5 6MD85 (CP200): All versions (v) 
SIPROTEC 5 6MD85 (CP300): All versions prior to v9.40 
SIPROTEC 5 6MD86 (CP200): All versions 
SIPROTEC 5 6MD86 (CP300): All versions prior to v9.40 
SIPROTEC 5 6MD89 (CP300): All versions 
SIPROTEC 5 6MU85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7KE85 (CP200): All versions 
SIPROTEC 5 7KE85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SA82 (CP100): All versions 
SIPROTEC 5 7SA82 (CP150): All versions prior to v9.40 
SIPROTEC 5 7SA84 (CP200): All versions 
SIPROTEC 5 7SA86 (CP200): All versions 
SIPROTEC 5 7SA86 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SA87 (CP200): All versions 
SIPROTEC 5 7SA87 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SD82 (CP100): All versions 
SIPROTEC 5 7SD82 (CP150): All versions prior to v9.40 
SIPROTEC 5 7SD84 (CP200): All versions 
SIPROTEC 5 7SD86 (CP200): All versions 
SIPROTEC 5 7SD86 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SD87 (CP200): All versions 
SIPROTEC 5 7SD87 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SJ81 (CP100): All versions 
SIPROTEC 5 7SJ81 (CP150): All versions prior to v9.40 
SIPROTEC 5 7SJ82 (CP100): All versions 
SIPROTEC 5 7SJ82 (CP150): All versions prior to v9.40 
SIPROTEC 5 7SJ85 (CP200): All versions 
SIPROTEC 5 7SJ85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SJ86 (CP200): All versions 
SIPROTEC 5 7SJ86 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SK82 (CP100): All versions 
SIPROTEC 5 7SK82 (CP150): All versions prior to v9.40 
SIPROTEC 5 7SK85 (CP200): All versions 
SIPROTEC 5 7SK85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SL82 (CP100): All versions 
SIPROTEC 5 7SL82 (CP150): All versions prior to v9.40 
SIPROTEC 5 7SL86 (CP200): All versions 
SIPROTEC 5 7SL86 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SL87 (CP200): All versions 
SIPROTEC 5 7SL87 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SS85 (CP200): All versions 
SIPROTEC 5 7SS85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7ST85 (CP200): All versions 
SIPROTEC 5 7ST85 (CP300): All versions 
SIPROTEC 5 7ST86 (CP300): All versions prior to v9.40 
SIPROTEC 5 7SX82 (CP150): All versions prior to v9.40 
SIPROTEC 5 7SX85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7UM85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7UT82 (CP100): All versions 
SIPROTEC 5 7UT82 (CP150): All versions prior to v9.40 
SIPROTEC 5 7UT85 (CP200): All versions 
SIPROTEC 5 7UT85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7UT86 (CP200): All versions 
SIPROTEC 5 7UT86 (CP300): All versions prior to v9.40 
SIPROTEC 5 7UT87 (CP200): All versions 
SIPROTEC 5 7UT87 (CP300): All versions prior to v9.40 
SIPROTEC 5 7VE85 (CP300): All versions prior to v9.40 
SIPROTEC 5 7VK87 (CP200): All versions 
SIPROTEC 5 7VK87 (CP300): All versions prior to v9.40 
SIPROTEC 5 7VU85 (CP300): All versions prior to v9.40 
SIPROTEC 5 Communication Module ETH-BA-2EL: All versions prior to v9.40 
SIPROTEC 5 Communication Module ETH-BB-2FO: All versions prior to v9.40 
SIPROTEC 5 Communication Module ETH-BD-2FO: All versions prior to v9.40 
SIPROTEC 5 Compact 7SX800 (CP050): All versions prior to v9.40 

3.2 VULNERABILITY OVERVIEW

3.2.1 NULL POINTER DEREFERENCE CWE-476 

Affected devices lack proper validation of HTTP request parameters of the hosted web service. An unauthenticated remote attacker could send specially crafted packets that could cause a denial-of-service condition of the target device. 

CVE-2023-28766 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Turek Witold from Polskie Sieci Elektroenergetyczne S.A reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet, available: 

SIPROTEC 5 6MD85 (CP300): Update to v9.40 or later 
SIPROTEC 5 6MD86 (CP300): Update to v9.40 or later 
SIPROTEC 5 6MU85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7KE85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SA82 (CP150): Update to v9.40 or later 
SIPROTEC 5 7SA86 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SA87 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SD82 (CP150): Update to v9.40 or later 
SIPROTEC 5 7SD86 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SD87 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SJ81 (CP150): Update to v9.40 or later 
SIPROTEC 5 7SJ82 (CP150): Update to v9.40 or later 
SIPROTEC 5 7SJ85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SJ86 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SK82 (CP150): Update to v9.40 or later 
SIPROTEC 5 7SK85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SL82 (CP150): Update to v9.40 or later 
SIPROTEC 5 7SL86 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SL87 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SS85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7ST86 (CP300): Update to v9.40 or later 
SIPROTEC 5 7SX82 (CP150): Update to v9.40 or later 
SIPROTEC 5 7SX85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7UM85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7UT82 (CP150): Update to v9.40 or later 
SIPROTEC 5 7UT85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7UT86 (CP300): Update to v9.40 or later 
SIPROTEC 5 7UT87 (CP300): Update to v9.40 or later 
SIPROTEC 5 7VE85 (CP300): Update to v9.40 or later 
SIPROTEC 5 7VK87 (CP300): Update to v9.40 or later 
SIPROTEC 5 7VU85 (CP300): Update to v9.40 or later 
SIPROTEC 5 Communication Module ETH-BA-2EL: Update to v9.40 or later 
SIPROTEC 5 Communication Module ETH-BB-2FO: Update to v9.40 or later 
SIPROTEC 5 Communication Module ETH-BD-2FO: Update to v9.40 or later 
SIPROTEC 5 Compact 7SX800 (CP050): Update to v9.40 or later 

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: 

Block access to port 4443/TCP e.g. with an external firewall 

Worldwide regulations for critical power systems (e.g. TSOs or DSOs) usually require multi-level redundant secondary protection schemes to build resilience into power grids. It is recommended that operators check whether appropriate resilient protection measures are in place to minimize the risk of cyber incidents impacting the grid’s reliability.  

Siemens recommends that operators:  

Apply provided security updates using the corresponding tooling and documented procedures made available with the product.  
Automatically apply security updates across multiple product instances if automation is supported by the product.  
Validate any security update before being applied. It is recommended to perform the update process under the supervision of trained staff in the target environment.   
Protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN) as a general security measure. 

In order to run the devices in a protected IT environment, it is advised to configure the environment according to Siemens operational guidelines

Recommended security guidelines can be found at Siemens’ grid security page

For more information, see the associated Siemens security advisory SSA-322980 in HTML and CSAF

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.  

Siemens SCALANCE XCM332

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Siemens 
Equipment: SCALANCE XCM332 
Vulnerabilities: Allocation of Resources Without Limits or Throttling, Use After Free, Concurrent Execution Using Shared Resource with Improper Synchronization (‘Race Condition’), Incorrect Default Permissions, Out-of-bounds Write, and Improper Validation of Syntactic Correctness of Input 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a denial-of-service condition, code execution, data injection, and allow unauthorized access. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

SCALANCE XCM332 (6GK5332-0GA01-2AC2): Versions prior to 2.2 

3.2 VULNERABILITY OVERVIEW

3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 

In versions of libtirpc prior to 1.3.3rc1, remote attackers could exhaust the file descriptors of a process using libtirpc due to mishandling of idle TCP connections. This could lead to an svc_run infinite loop without accepting new connections. 

CVE-2021-46828 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.2 USE AFTER FREE CWE-416 

Linux Kernel could allow a local attacker to leverage a concurrency use-after-free flaw in the bad_flp_intr function to execute arbitrary code. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system. 

CVE-2022-1652 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). 

3.2.3 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362 

A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives, such as kernel address information leak and arbitrary execution. 

CVE-2022-1729 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). 

3.2.4 USE AFTER FREE CWE-416 

A use-after-free in Busybox 1.35-x’s awk applet leads to a denial-of-service condition and possible code execution when processing a crafted awk pattern in the copyvar function. 

CVE-2022-30065 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.5 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 

A malicious server can serve excessive amounts of “Set-Cookie:” headers in a HTTP response to curl and curl < 7.84.0, which stores all of them. A sufficiently large amount of cookies could make subsequent HTTP requests to this, or other servers to which the cookies match, create requests larger than the threshold curl uses internally to avoid sending excessively large requests (1048576 bytes), and instead returns an error. This denial state might remain for as long as the same cookies are kept, match, and haven’t expired. Due to cookie matching rules, a server on “foo.example.com” can set cookies that also would match for “bar.example.com”, making it possible for a “sister server” to cause a denial-of-service condition for a sibling site on the same second level domain using this method. 

CVE-2022-32205 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). 

3.2.6 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 

Versions of curl < 7.84.0 support “chained” HTTP compression algorithms, where a server response can be compressed multiple times with potentially different algorithms. The number of acceptable “links” in this “decompression chain” was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps; this could result in a “malloc bomb,” making curl spend enormous amounts of allocated heap memory, or trying to, and returning out of memory errors. 

CVE-2022-32206 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). 

3.2.7 INCORRECT DEFAULT PERMISSIONS CWE-276 

When curl < 7.84.0 saves cookies, alt-svc, and hsts data to local files, it finalizes the operation with a rename from a temporary name to the final target file name, making the operation atomic. In this rename operation, these versions of curl  might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended. 

CVE-2022-32207 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.8 OUT-OF-BOUNDS WRITE CWE-787 

When curl < 7.84.0 performs file transfer protocol (FTP) transfers secured by krb5, it does not handle message verification failures correctly;  it is possible for a machine-in-the-middle attack to go unnoticed and allows injection of data into the client. 

CVE-2022-32208 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.9 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286 

When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that, when are later sent back to a HTTP server, might make the server return 400 responses. This could allow a “sister site” to deny service to all sibling sites. 

CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.10 USE AFTER FREE CWE-416 

Versions of libexpat before 2.4.9 have a use-after-free vulnerability in the doContent function in xmlparse.c. 

CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA. 

4. MITIGATIONS

Siemens has released an update for the SCALANCE XCM332 and recommends updating to the latest version: 

SCALANCE XCM332 (6GK5332-0GA01-2AC2): Update to V2.2 or later version 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at the Siemens Industrial Security web page

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT.  

For more information see the associated Siemens security advisory SSA-558014 in HTML and CSAF

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities. 

Siemens Polarion ALM

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 5.3
ATTENTION: Exploitable remotely/high attack complexity 
Vendor: Siemens  
Equipment: Polarion ALM 
Vulnerability: Improper Restriction of XML External Entity Reference 

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to potentially disclose confidential data. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens Polarion ALM products are affected: 

Polarion ALM: all versions prior to V2304.0 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

The application contains an XML external entity injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. 

CVE-2023-28828 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Cale Anderson reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has released an update for Polarion ALM and recommends updating to the latest version (V2304.0), as well as updating specific configurations to mitigate against the vulnerability. The configuration changes to mitigate this vulnerability will be default in Polarion V2304 and later versions. 

Siemens recommends setting configurations as listed in SSA-632164 to mitigate against external entity injection in OpenSAML 4.x parser. This will be included by default in  Polarion V2304 and later versions. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at the Siemens Industrial Security web page

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT

For more information, see the associated Siemens security advisory SSA-632164 in HTML and CSAF

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has a high attack complexity. 

Siemens SCALANCE X-200IRT Devices

1. EXECUTIVE SUMMARY

CVSS v3 6.7
ATTENTION: Exploitable with adjacent access 
Vendor: Siemens 
Equipment: SCALANCE X-200IRT Devices 
Vulnerability: Inadequate Encryption Strength 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized attacker in a machine-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

SCALANCE X200-4P IRT (6GK5200-4AH00-2BA3): All versions prior to V5.5.2 
SCALANCE X201-3P IRT (6GK5201-3BH00-2BA3): All versions prior to V5.5.2 
SCALANCE X201-3P IRT PRO (6GK5201-3JR00-2BA6): All versions prior to V5.5.2 
SCALANCE X202-2IRT (6GK5202-2BB00-2BA3): All versions prior to V5.5.2 
SCALANCE X202-2IRT (6GK5202-2BB10-2BA3): All versions prior to V5.5.2 
SCALANCE X202-2P IRT (6GK5202-2BH00-2BA3): All versions prior to V5.5.2 
SCALANCE X202-2P IRT PRO (6GK5202-2JR00-2BA6): All versions prior to V5.5.2 
SCALANCE X204IRT (6GK5204-0BA00-2BA3): All versions prior to V5.5.2 
SCALANCE X204IRT (6GK5204-0BA10-2BA3): All versions prior to V5.5.2 
SCALANCE X204IRT PRO (6GK5204-0JA00-2BA6): All versions prior to V5.5.2 
SCALANCE XF201-3P IRT (6GK5201-3BH00-2BD2): All versions prior to V5.5.2 
SCALANCE XF202-2P IRT (6GK5202-2BH00-2BD2): All versions prior to V5.5.2 
SCALANCE XF204-2BA IRT (6GK5204-2AA00-2BD2): All versions prior to V5.5.2 
SCALANCE XF204IRT (6GK5204-0BA00-2BF2): All versions prior to V5.5.2 
SIPLUS NET SCALANCE X202-2P IRT (6AG1202-2BH00-2BA3): All versions prior to V5.5.2 

3.2 VULNERABILITY OVERVIEW

3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326 

The secure shell (SSH) server on affected devices is configured to offer weak ciphers by default. This could allow an unauthorized attacker in a machine-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device. 

CVE-2023-29054 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Siemens has released updates for the affected products and recommends updating to the latest versions: 

Update all affected products to V5.5.2 or later

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk identified in the vulnerability overview:  

Configure the SSH clients to use strong key exchange ciphers. 
Add only trusted SSH client public keys to the responding operating system (ROS) and allow access to those clients only. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. 

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.  

For more information, see the associated Siemens security advisory SSA-479249 in HTML and CSAF

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity. 

Siemens in OPC Foundation Local Discovery Server

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity  
Vendor: Siemens  
Equipment: OPC Foundation Local Discovery Server 
Vulnerability: Improper Input Validation 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to create a malicious file loaded by OPC Foundation Local Discovery Server (running as a high-privilege user). 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

OpenPCS 7 V9.1: All versions  
SIMATIC NET PC Software V14: All versions 
SIMATIC NET PC Software V15: All versions 
SIMATIC NET PC Software V16: All versions 
SIMATIC NET PC Software V17: All versions 
SIMATIC NET PC Software V18: All versions 
SIMATIC Process Historian OPC UA Server: All versions 
SIMATIC WinCC: All versions prior to V8.0 
SIMATIC WinCC Runtime Professional: All versions 
SIMATIC WinCC Unified PC Runtime: All versions prior to V18.0 UPD 1 SR 1 
TeleControl Server Basic V3: All versions 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20 

OPC Foundation Local Discovery Server (LDS) in affected products uses a hard-coded file path to a configuration file. This could allow a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user). 

CVE-2022-44725 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Siemens OpenPCS 7 V9.1: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V14: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V15: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V16: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V17: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V18: Currently, no fix is available. 
Siemens SIMATIC Process Historian OPC UA Server: All versions. 
Siemens SIMATIC WinCC Runtime Professional: Currently, no fix is available. 
Siemens TeleControl Server Basic V3: Currently, no fix is available. 
Siemens SIMATIC WinCC: Update to V8.0 or later version. 
Siemens SIMATIC WinCC Unified PC Runtime: Update to V18.0 UPD 1 SR 1 or later version. 

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk: 

Update the underlying OPC Foundation Unified Architecture Local Discovery Server (UA-LDS) to V1.04.405 or later if possible. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals. 

Additional information on Industrial Security by Siemens can be found here

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT

For more information, see the associated Siemens security advisory SSA-691715 in HTML and CSAF

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.  

Siemens Path Traversal TIA Portal

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Low attack complexity 
Vendor: Siemens 
Equipment: TIA Portal 
Vulnerability: Improper Input Validation 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

TIA Portal V15: All versions 
TIA Portal V16: All versions 
TIA Portal V17: All versions 
TIA Portal V18: All versions prior to v18 Update 1 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20 

Affected products contain a path traversal vulnerability that could allow the creation or overwriting of arbitrary files in the engineering system. If the user is tricked into opening a malicious PC system configuration file, an attacker could exploit this vulnerability to achieve arbitrary code execution. 

CVE-2023-26293 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Siemens has released an update for TIA Portal V18 and recommends updating to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet, available: 

TIA Portal V18: Update to V18 Update 1 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Avoid opening untrusted project files or PC system configuration files. 

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at the Siemens Industrial Security web page

For further inquiries on security vulnerabilities in Siemens’ products and solutions, users should contact the Siemens ProductCERT

For more information, see the associated Siemens security advisory SSA-116924 in HTML and CSAF.  

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target this vulnerability. 

Siemens JT Open and JT Utilities

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity 
Vendor: Siemens  
Equipment: JT Open and JT Utilities 
Vulnerability: Out-of-bounds Read 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens software is affected: 

JT Open: All versions prior to V11.3.2.0 
JT Utilities: All versions prior to V13.3.0.0 

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125 

The affected applications contain an out-of-bounds read vulnerability past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process. 

CVE-2023-29053 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Do not open untrusted files using JT Open Toolkit or JT Utilities. 
JT Utilities: Update to V13.3.0.0 or a later version. 
JT Open: Update to V11.3.2.0 or a later version. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals. 

Additional information regarding Siemens Industrial Security can be found here

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT

For more information, see the associated Siemens security advisory SSA-642810 in HTML and CSAF

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. 

Siemens Adaptec maxView Application

1. EXECUTIVE SUMMARY

CVSS v3 6.2
ATTENTION: Low attack complexity  
Vendor: Siemens
Equipment: Adaptec maxView Application
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to decrypt intercepted local traffic between the browser and the application. A local attacker could perform a machine-in-the-middle attack to modify data in transit. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

SIMATIC IPC1047: All versions  
SIMATIC IPC1047E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 
SIMATIC IPC647D: All versions 
SIMATIC IPC647E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 
SIMATIC IPC847D: All versions 
SIMATIC IPC847E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 

The Adaptec maxView application uses a non-unique TLS certificate across installations to protect communication from the local browser to the local application on affected Siemens devices. A local attacker could use this key to decrypt intercepted local traffic between the browser and the application and could perform a machine-in-the-middle attack to modify data in transit. 

CVE-2023-23588 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple  
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Adaptec has released updates for the affected products and recommends updating to the latest versions.  Siemens recommends countermeasures for products where updates are not, or not yet available: 

Update maxView Storage Manager to 4.09.00.25611 or later version. 

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Update the default self-signed device X.509 certificate with a trusted certificate. 

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for industrial security and to follow recommendations in the product manuals.  

Additional information on industrial security by Siemens can be found here

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT

For more information, see the associated Siemens security advisory SSA-511182 in HTML and CSAF

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. 

FANUC ROBOGUIDE-HandlingPRO

1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely 
Vendor: FANUC 
Equipment: ROBOGUIDE-HandlingPRO 
Vulnerability: Path Traversal 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read and/or overwrite files on the system running the affected software. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ROBOGUIDE-HandlingPRO, a robot simulation software, are affected: 

ROBOGUIDE-HandlingPRO: Versions 9 Rev.ZD and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITA8TION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 

FANUC ROBOGUIDE-HandlingPRO Versions 9 Rev.ZD and prior is vulnerable to a path traversal, which could allow an attacker to remotely read files on the system running the affected software. 

CVE-2023-1864 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Japan 

3.4 RESEARCHER

Yenting Lee of TXOne Networks reported this vulnerability to CISA. 

4. MITIGATIONS

FANUC recommends users update to the latest version

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. High attack complexity. 

mySCADA myPRO

1. EXECUTIVE SUMMARY

CVSS v3 9.9 
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available 
Vendor: mySCADA Technologies 
Equipment: mySCADA myPRO 
Vulnerabilities: OS Command Injection 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of myPRO HMI/SCADA systems are affected: 

myPRO: versions 8.26.0 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28400 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.2 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28716 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.3 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28384 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.4 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-29169 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.5 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-29150 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Czech Republic 

3.4 RESEARCHER

Michael Heinzl publicly disclosed these vulnerabilities on the internet. 

4. MITIGATIONS

mySCADA recommends users upgrade to version 8.29.0 or higher. For more information, contact mySCADA technical support. mySCADA will also send security advice by email to all registered users. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Ensure the least-privilege user principle is followed. 
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

Known public exploits specifically target these vulnerabilities.  These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.