Category: CISA Alerts

Schneider Electric PowerChute Serial Shutdown

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 6.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: PowerChute Serial Shutdown
Vulnerability: Improper Authentication

2. RISK EVALUATION
Successful exploitation of this vulnerability could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following versions of PowerChute Serial Shutdown are affected:

PowerChute Serial Shutdown: Versions 1.2.0.301 and prior

3.2 Vulnerability Overview
3.2.1 IMPROPER AUTHENTICATION CWE-287
An improper authentication vulnerability exists that could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.
CVE-2024-10511 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2024-10511. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Schneider Electric reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric recommends the following mitigations for the affected product:

PowerChute Serial Shutdown: Versions v1.2.0.301 and prior: Update to PowerChute Serial Shutdown: Version 1.3

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here:https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp
Schneider Electric strongly recommend the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-01 in PDF and CSAF.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

January 10, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 6.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: PowerChute Serial Shutdown
  • Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports the following versions of PowerChute Serial Shutdown are affected:

  • PowerChute Serial Shutdown: Versions 1.2.0.301 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHENTICATION CWE-287

An improper authentication vulnerability exists that could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

CVE-2024-10511 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-10511. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends the following mitigations for the affected product:

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here:
https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp

Schneider Electric strongly recommend the following industry cybersecurity best practices:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-01 in PDF and CSAF.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • January 10, 2025: Initial Publication

 Read More

CISA Releases the Cybersecurity Performance Goals Adoption Report

Posted on by itwadmin-security

 ​Today, CISA released the Cybersecurity Performance Goals Adoption Report to highlight how adoption of Cybersecurity Performance Goals (CPGs) benefits our nation’s critical infrastructure sectors. Originally released in October 2022, CISA’s CPGs are voluntary practices that critical infrastructure owners can take to protect themselves against cyber threats. 
This report is based on analysis of 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service from Aug. 1, 2022, through Aug. 31, 2024. Data reveals that four critical infrastructure sectors are most impacted by CPG adoption: Healthcare and Public Health, Water and Wastewater Systems, Communications, and Government Services and Facilities. These four sectors have strong partnerships with CISA.
As CISA strengthens partnerships across all 16 critical infrastructure sectors, the agency hopes that CPG adoption will continue to expand. CISA urges critical infrastructure to learn more by visiting Cross-Sector Cybersecurity Performance Goals.  

Today, CISA released the Cybersecurity Performance Goals Adoption Report to highlight how adoption of Cybersecurity Performance Goals (CPGs) benefits our nation’s critical infrastructure sectors. Originally released in October 2022, CISA’s CPGs are voluntary practices that critical infrastructure owners can take to protect themselves against cyber threats. 

This report is based on analysis of 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service from Aug. 1, 2022, through Aug. 31, 2024. Data reveals that four critical infrastructure sectors are most impacted by CPG adoption: Healthcare and Public Health, Water and Wastewater Systems, Communications, and Government Services and Facilities. These four sectors have strong partnerships with CISA.

As CISA strengthens partnerships across all 16 critical infrastructure sectors, the agency hopes that CPG adoption will continue to expand. CISA urges critical infrastructure to learn more by visiting Cross-Sector Cybersecurity Performance Goals

 Read More

CISA Releases Four Industrial Control Systems Advisories

Posted on by itwadmin-security

 ​CISA released four Industrial Control Systems (ICS) advisories on January 10, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-010-01 Schneider Electric PowerChute Serial Shutdown
ICSA-25-010-02 Schneider Electric Harmony HMI and Pro-face HMI Products
ICSA-25-010-03 Delta Electronics DRASimuCAD 
ICSA-24-345-06 Rockwell Automation Arena (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released four Industrial Control Systems (ICS) advisories on January 10, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

Schneider Electric Harmony HMI and Pro-face HMI Products

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Harmony HMI and Pro-face HMI Products
Vulnerability: Use of Unmaintained Third-Party Components

2. RISK EVALUATION
Successful exploitation of this vulnerability could cause complete control of the device when an authenticated user installs malicious code into HMI product
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following versions of Harmony HMI and Pro-face HMI are affected:

Harmony HMIST6: All versions
Harmony HMISTM6: All versions
Harmony HMIG3U: All versions
Harmony HMIG3X: All versions
Harmony HMISTO7 series with Ecostruxure Operator Terminal Expert runtime: All versions
PFXST6000: All versions
PFXSTM6000: All versions
PFXSP5000: All versions
PFXGP4100 series with Pro-face BLUE runtime: All versions

3.2 Vulnerability Overview
3.2.1 USE OF UNMAINTAINED THIRD-PARTY COMPONENTS CWE-1104
The affected product is vulnerable to a use of an unmaintained third-party component vulnerability that could cause complete control of the device when an authenticated user installs malicious code into HMI product.
CVE-2024-11999 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11999. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Schneider Electric reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric recommends for users to immediately apply the following mitigations to reduce the risk of exploit:

Use HMI only in a protected environment to minimize network exposure and ensure that they are not accessible from public Internet or untrusted networks.
Setup network segmentation and implement a firewall to block all unauthorized access.
Restrict usage of unverifiable portable media.
Restricting the application access to limit the transfer of Firmware to HMIScanning of software/files for rootkits before usage and verifying the digital signature.
When exchanging files over the network, use secure communication protocols.

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here:https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp
Schneider Electric strongly recommend the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-02 in PDF and CSAF.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

January 10, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Harmony HMI and Pro-face HMI Products
  • Vulnerability: Use of Unmaintained Third-Party Components

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause complete control of the device when an authenticated user installs malicious code into HMI product

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports the following versions of Harmony HMI and Pro-face HMI are affected:

  • Harmony HMIST6: All versions
  • Harmony HMISTM6: All versions
  • Harmony HMIG3U: All versions
  • Harmony HMIG3X: All versions
  • Harmony HMISTO7 series with Ecostruxure Operator Terminal Expert runtime: All versions
  • PFXST6000: All versions
  • PFXSTM6000: All versions
  • PFXSP5000: All versions
  • PFXGP4100 series with Pro-face BLUE runtime: All versions

3.2 Vulnerability Overview

3.2.1 USE OF UNMAINTAINED THIRD-PARTY COMPONENTS CWE-1104

The affected product is vulnerable to a use of an unmaintained third-party component vulnerability that could cause complete control of the device when an authenticated user installs malicious code into HMI product.

CVE-2024-11999 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11999. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends for users to immediately apply the following mitigations to reduce the risk of exploit:

  • Use HMI only in a protected environment to minimize network exposure and ensure that they are not accessible from public Internet or untrusted networks.
  • Setup network segmentation and implement a firewall to block all unauthorized access.
  • Restrict usage of unverifiable portable media.
  • Restricting the application access to limit the transfer of Firmware to HMIScanning of software/files for rootkits before usage and verifying the digital signature.
  • When exchanging files over the network, use secure communication protocols.

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here:
https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp

Schneider Electric strongly recommend the following industry cybersecurity best practices:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-02 in PDF and CSAF.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • January 10, 2025: Initial Publication

 Read More

CISA Adds One Vulnerability to the KEV Catalog

Posted on by itwadmin-security

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2025-0282 Ivanti Connect Secure Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
CISA urges organizations to apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service

Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)
CISA Mitigation Instructions for CVE-2025-0282 

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA urges organizations to apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways

Posted on by itwadmin-security

 ​Ivanti released security updates to address vulnerabilities (CVE-2025-0282, CVE-2025-0283) in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. A cyber threat actor could exploit CVE-2025-0282 to take control of an affected system.CISA has added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CISA urges organizations to hunt for any malicious activity, report any positive findings to CISA, and review the following for more information:

Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)

For all instances of Ivanti Connect Secure, Policy Secure, and ZTA Gateways, see the following steps for general hunting guidance:

Conduct threat hunting actions:  

Run the In-Build Integrity Checker Tool (ICT). Instructions can be found here. 
Conduct threat hunt actions on any systems connected to—or recently connected to—the affected Ivanti device.  

If threat hunting actions determine no compromise: 

Factory reset the device and apply the patch described in Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283). 
Monitor the authentication or identity management services that could be exposed. 
Continue to audit privilege level access accounts. 

If threat hunting actions determine compromise: 

Report to CISA and Ivanti immediately to start forensic investigation and incident response activities.  
Disconnect instances of affected Ivanti Connect Secure products.  
Isolate the systems from any enterprise resources to the greatest degree possible. 
Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following: 

Reset the admin enable password. 
Reset stored application programming interface (API) keys. 
Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).  

If domain accounts associated with the affected products have been compromised: 

Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments. 
For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.

After investigation, fully patch and restore system to service.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. 

Ivanti released security updates to address vulnerabilities (CVE-2025-0282, CVE-2025-0283) in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. A cyber threat actor could exploit CVE-2025-0282 to take control of an affected system.

CISA has added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CISA urges organizations to hunt for any malicious activity, report any positive findings to CISA, and review the following for more information:

For all instances of Ivanti Connect Secure, Policy Secure, and ZTA Gateways, see the following steps for general hunting guidance:

  1. Conduct threat hunting actions:  
    1. Run the In-Build Integrity Checker Tool (ICT). Instructions can be found here
    2. Conduct threat hunt actions on any systems connected to—or recently connected to—the affected Ivanti device.  
  2. If threat hunting actions determine no compromise: 
    1. Factory reset the device and apply the patch described in Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)
    2. Monitor the authentication or identity management services that could be exposed. 
    3. Continue to audit privilege level access accounts. 
  3. If threat hunting actions determine compromise: 
    1. Report to CISA and Ivanti immediately to start forensic investigation and incident response activities.  
    2. Disconnect instances of affected Ivanti Connect Secure products.  
    3. Isolate the systems from any enterprise resources to the greatest degree possible. 
    4. Revoke and reissue any connected or exposed certificates, keys, and passwords, to include the following: 
      1. Reset the admin enable password. 
      2. Reset stored application programming interface (API) keys. 
      3. Reset the password of any local user defined on the gateway, including service accounts used for auth server configuration(s).  
    5. If domain accounts associated with the affected products have been compromised: 
      1. Reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments. 
      2. For cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.
    6. After investigation, fully patch and restore system to service.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

 Read More

CISA Adds Three Known Exploited Vulnerabilities to Catalog

Posted on by itwadmin-security

 ​CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-41713 Mitel MiCollab Path Traversal Vulnerability
CVE-2024-55550 Mitel MiCollab Path Traversal Vulnerability
CVE-2020-2883 Oracle WebLogic Server Unspecified Vulnerability

Users and administrators are also encouraged to review the Palo Alto Threat Brief: Operation Lunar Peek related to CVE-2024-0012, the Palo Alto Security Bulletin for CVE-2024-0012, and the Palo Alto Security Bulletin for CVE-2024-9474 for additional information. 
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

Users and administrators are also encouraged to review the Palo Alto Threat Brief: Operation Lunar Peek related to CVE-2024-0012, the Palo Alto Security Bulletin for CVE-2024-0012, and the Palo Alto Security Bulletin for CVE-2024-9474 for additional information. 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

CISA Releases Two Industrial Control Systems Advisories

Posted on by itwadmin-security

 ​CISA released two Industrial Control Systems (ICS) advisories on January 7, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-007-01 ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products
ICSA-25-007-02 Nedap Librix Ecoreader

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released two Industrial Control Systems (ICS) advisories on January 7, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: ABB
Equipment: ASPECT-Enterprise, NEXUS, and MATRIX series
Vulnerabilities: Files or Directories Accessible to External Parties, Improper Validation of Specified Type of Input, Cleartext Transmission of Sensitive Information, Cross-site Scripting, Server-Side Request Forgery (SSRF), Improper Neutralization of Special Elements in Data Query Logic, Allocation of Resources Without Limits or Throttling, Weak Password Requirements, Cross-Site Request Forgery (CSRF), Use of Weak Hash, Code Injection, PHP Remote File Inclusion, External Control of System or Configuration Setting, Insufficiently Protected Credentials, Unrestricted Upload of File with Dangerous Type, Absolute Path Traversal, Use of Default Credentials, Off-by-one Error, Use of Default Password, Session Fixation

2. RISK EVALUATION
Multiple vulnerabilities in ABB ASPECT-Enterprise, NEXUS, and MATRIX series products have been reported, which could enable an attacker to disrupt operations or execute remote code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB reports the following products are affected:

ABB NEXUS Series: NEXUS-3-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
ABB NEXUS Series: NEX-2x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
ABB NEXUS Series: NEX-2x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
ABB NEXUS Series: NEXUS-3-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
ABB ASPECT-Enterprise: ASP-ENT-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
ABB MATRIX Series: MAT-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
ABB MATRIX Series: MAT-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
ABB MATRIX Series: MAT-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
ABB ASPECT-Enterprise: ASP-ENT-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
ABB ASPECT-Enterprise: ASP-ENT-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
ABB NEXUS Series: NEX-2x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
ABB NEXUS Series: NEXUS-3-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)

3.2 VULNERABILITY OVERVIEW
3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552
Unauthorized file access in WEB Server in ASPECT versions 3.08.01 and prior allow an attacker to access files unauthorized.
CVE-2024-6209 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.2.2 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287
An improper input validation vulnerability in ASPECT allows remote code inclusion.
CVE-2024-6298 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Web browser interface may manipulate application username/password in clear text or Base64 encoding in ABB ASPECT providing a higher probability of unintended credentials exposure.
CVE-2024-6515 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
A cross-site scripting vulnerability was found in ABB ASPECT providing a potential for malicious scripts to be injected into a client browser.
CVE-2024-6516 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).
3.2.5 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918
A server-side request forgery vulnerability was found in ASPECT providing a potential for access to unauthorized resources and unintended information disclosure.
CVE-2024-6784 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.6 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943
A SQL injection vulnerability was found in ASPECT providing a potential for unintended information disclosure.
CVE-2024-48843 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N).
3.2.7 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
A denial of service vulnerability was found in ASPECT providing a potential for device service disruptions.
CVE-2024-48844 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).
3.2.8 WEAK PASSWORD REQUIREMENTS CWE-521
A weak password reset rules vulnerability was found in ASPECT providing a potential for the storage of weak passwords that could facilitate unauthorized admin/application access.
CVE-2024-48845 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).
3.2.9 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
A cross site request forgery vulnerability was found in ASPECT providing a potential for exposing sensitive information or changing system settings.
CVE-2024-48846 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
3.2.10.0 USE OF WEAK HASH CWE-328
A MD5 checksum bypass vulnerability was found in ASPECT exploiting a weakness in the way an application dependency calculates or validates MD5 checksum hashes.
CVE-2024-48847 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N).
3.2.11 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94
An improper input validation vulnerability in ASPECT allows remote code execution.
CVE-2024-48839 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).
3.2.12 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94
An unauthorized access vulnerability in ASPECT allows remote code execution.
CVE-2024-48840 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).
3.2.13 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM (‘PHP REMOTE FILE INCLUSION’) CWE-98
A local file inclusion vulnerability in ASPECT allows access to sensitive system information.
CVE-2024-51541 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
3.2.14 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552
A configuration download vulnerability in ASPECT allows access to dependency configuration information.
CVE-2024-51542 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
3.2.15 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15
An information disclosure vulnerability in ASPECT allows access to application configuration information.
CVE-2024-51543 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
3.2.16 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15
A service control vulnerability in ASPECT allows access to service restart requests and vm configuration settings.
CVE-2024-51544 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).
3.2.17 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
An username enumeration vulnerability in ASPECT allows access to application level username add, delete, modify and list functions.
CVE-2024-51545 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.2.18 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287
A credentials disclosure vulnerability in ASPECT allow access to on board project backup bundles.
CVE-2024-51546 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
3.2.19 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
A dangerous file upload vulnerability in ASPECT allows upload of malicious scripts.
CVE-2024-51548 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.20 ABSOLUTE PATH TRAVERSAL CWE-36
An absolute file traversal vulnerability in ASPECT allows access and modification of unintended resources.
CVE-2024-51549 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).
3.2.21 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287
A data validation / data sanitization vulnerability in ASPECT Linux allows unvalidated and unsanitized data to be injected in an ASPECT device.
CVE-2024-51550 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).
3.2.22 USE OF DEFAULT CREDENTIALS CWE-1392
A default credential vulnerability in ASPECT on Linux allows access to an ASPECT device using publicly available default credentials.
CVE-2024-51551 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.2.23 OFF-BY-ONE ERROR CWE-193
An off by one error vulnerability in ASPECT allow an array out of bounds condition in a log script.
CVE-2024-51554 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).
3.2.24 USE OF DEFAULT PASSWORD CWE-1393
Default credential vulnerability in ASPECT allows access to an ASPECT device using publicly available default credentials, since the system does not require the installer to change default credentials.
CVE-2024-51555 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.2.25 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
A filesize check vulnerability in ASPECT allow a malicious user to bypass size limits or overload an ASPECT device.
CVE-2024-11316 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.26 SESSION FIXATION CWE-384
Session fixation vulnerability in ASPECT allow an attacker to fix a user’s session identifier before login providing an opportunity for session takeover on an ASPECT device.
CVE-2024-11317 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Gjoko Krstikj of Zero Science Lab reported these vulnerabilities to CISA.
4. MITIGATIONS
ABB has identified the following specific workarounds and mitigations users can apply to reduce risk:

(CVE-2024-6209, CVE-2024-6298, CVE-2024-48847) ASP-ENT-x <=3.08.01, NEX-2x <=3.08.01, MAT-x <=3.08.01, NEXUS-3-x <=3.08.01: The vulnerabilities have been resolved in product versions 3.08.02 and later.
(CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317) ASP-ENT-x <=3.08.02, NEX-2x <=3.08.02, NEXUS-3-x <=3.08.02, MAT-x <=3.08.02: The vulnerabilities have been resolved in product versions 3.08.03 and later.
(CVE-2024-48845) ASP-ENT-x <=3.07.02, NEXUS-3-x <=3.07.02, NEX-2x <=3.07.02, MAT-x <=3.07.02: The vulnerabilities have been resolved in product versions 3.08.00 and later.
(CVE-2024-51551, CVE-2024-51555) ASP-ENT-x <=3.07.02, NEXUS-3-x <=3.07.02, NEX-2x <=3.07.02, MAT-x <=3.07.02: The vulnerabilities have been resolved in product versions 3.08.00 and later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

January 7, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: ABB
  • Equipment: ASPECT-Enterprise, NEXUS, and MATRIX series
  • Vulnerabilities: Files or Directories Accessible to External Parties, Improper Validation of Specified Type of Input, Cleartext Transmission of Sensitive Information, Cross-site Scripting, Server-Side Request Forgery (SSRF), Improper Neutralization of Special Elements in Data Query Logic, Allocation of Resources Without Limits or Throttling, Weak Password Requirements, Cross-Site Request Forgery (CSRF), Use of Weak Hash, Code Injection, PHP Remote File Inclusion, External Control of System or Configuration Setting, Insufficiently Protected Credentials, Unrestricted Upload of File with Dangerous Type, Absolute Path Traversal, Use of Default Credentials, Off-by-one Error, Use of Default Password, Session Fixation

2. RISK EVALUATION

Multiple vulnerabilities in ABB ASPECT-Enterprise, NEXUS, and MATRIX series products have been reported, which could enable an attacker to disrupt operations or execute remote code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports the following products are affected:

  • ABB NEXUS Series: NEXUS-3-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
  • ABB NEXUS Series: NEX-2x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
  • ABB NEXUS Series: NEX-2x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
  • ABB NEXUS Series: NEXUS-3-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
  • ABB ASPECT-Enterprise: ASP-ENT-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
  • ABB MATRIX Series: MAT-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
  • ABB MATRIX Series: MAT-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
  • ABB MATRIX Series: MAT-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
  • ABB ASPECT-Enterprise: ASP-ENT-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
  • ABB ASPECT-Enterprise: ASP-ENT-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
  • ABB NEXUS Series: NEX-2x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
  • ABB NEXUS Series: NEXUS-3-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)

3.2 VULNERABILITY OVERVIEW

3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

Unauthorized file access in WEB Server in ASPECT versions 3.08.01 and prior allow an attacker to access files unauthorized.

CVE-2024-6209 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

An improper input validation vulnerability in ASPECT allows remote code inclusion.

CVE-2024-6298 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Web browser interface may manipulate application username/password in clear text or Base64 encoding in ABB ASPECT providing a higher probability of unintended credentials exposure.

CVE-2024-6515 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A cross-site scripting vulnerability was found in ABB ASPECT providing a potential for malicious scripts to be injected into a client browser.

CVE-2024-6516 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).

3.2.5 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

A server-side request forgery vulnerability was found in ASPECT providing a potential for access to unauthorized resources and unintended information disclosure.

CVE-2024-6784 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.6 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943

A SQL injection vulnerability was found in ASPECT providing a potential for unintended information disclosure.

CVE-2024-48843 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.2.7 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

A denial of service vulnerability was found in ASPECT providing a potential for device service disruptions.

CVE-2024-48844 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).

3.2.8 WEAK PASSWORD REQUIREMENTS CWE-521

A weak password reset rules vulnerability was found in ASPECT providing a potential for the storage of weak passwords that could facilitate unauthorized admin/application access.

CVE-2024-48845 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

3.2.9 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

A cross site request forgery vulnerability was found in ASPECT providing a potential for exposing sensitive information or changing system settings.

CVE-2024-48846 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

3.2.10.0 USE OF WEAK HASH CWE-328

A MD5 checksum bypass vulnerability was found in ASPECT exploiting a weakness in the way an application dependency calculates or validates MD5 checksum hashes.

CVE-2024-48847 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N).

3.2.11 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

An improper input validation vulnerability in ASPECT allows remote code execution.

CVE-2024-48839 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.12 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

An unauthorized access vulnerability in ASPECT allows remote code execution.

CVE-2024-48840 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.13 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM (‘PHP REMOTE FILE INCLUSION’) CWE-98

A local file inclusion vulnerability in ASPECT allows access to sensitive system information.

CVE-2024-51541 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.14 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

A configuration download vulnerability in ASPECT allows access to dependency configuration information.

CVE-2024-51542 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.15 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15

An information disclosure vulnerability in ASPECT allows access to application configuration information.

CVE-2024-51543 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.16 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15

A service control vulnerability in ASPECT allows access to service restart requests and vm configuration settings.

CVE-2024-51544 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.17 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An username enumeration vulnerability in ASPECT allows access to application level username add, delete, modify and list functions.

CVE-2024-51545 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.18 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

A credentials disclosure vulnerability in ASPECT allow access to on board project backup bundles.

CVE-2024-51546 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.19 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

A dangerous file upload vulnerability in ASPECT allows upload of malicious scripts.

CVE-2024-51548 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.20 ABSOLUTE PATH TRAVERSAL CWE-36

An absolute file traversal vulnerability in ASPECT allows access and modification of unintended resources.

CVE-2024-51549 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.21 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

A data validation / data sanitization vulnerability in ASPECT Linux allows unvalidated and unsanitized data to be injected in an ASPECT device.

CVE-2024-51550 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.22 USE OF DEFAULT CREDENTIALS CWE-1392

A default credential vulnerability in ASPECT on Linux allows access to an ASPECT device using publicly available default credentials.

CVE-2024-51551 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.23 OFF-BY-ONE ERROR CWE-193

An off by one error vulnerability in ASPECT allow an array out of bounds condition in a log script.

CVE-2024-51554 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).

3.2.24 USE OF DEFAULT PASSWORD CWE-1393

Default credential vulnerability in ASPECT allows access to an ASPECT device using publicly available default credentials, since the system does not require the installer to change default credentials.

CVE-2024-51555 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.25 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

A filesize check vulnerability in ASPECT allow a malicious user to bypass size limits or overload an ASPECT device.

CVE-2024-11316 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.26 SESSION FIXATION CWE-384

Session fixation vulnerability in ASPECT allow an attacker to fix a user’s session identifier before login providing an opportunity for session takeover on an ASPECT device.

CVE-2024-11317 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Gjoko Krstikj of Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847) ASP-ENT-x <=3.08.01, NEX-2x <=3.08.01, MAT-x <=3.08.01, NEXUS-3-x <=3.08.01: The vulnerabilities have been resolved in product versions 3.08.02 and later.
  • (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317) ASP-ENT-x <=3.08.02, NEX-2x <=3.08.02, NEXUS-3-x <=3.08.02, MAT-x <=3.08.02: The vulnerabilities have been resolved in product versions 3.08.03 and later.
  • (CVE-2024-48845) ASP-ENT-x <=3.07.02, NEXUS-3-x <=3.07.02, NEX-2x <=3.07.02, MAT-x <=3.07.02: The vulnerabilities have been resolved in product versions 3.08.00 and later.
  • (CVE-2024-51551, CVE-2024-51555) ASP-ENT-x <=3.07.02, NEXUS-3-x <=3.07.02, NEX-2x <=3.07.02, MAT-x <=3.07.02: The vulnerabilities have been resolved in product versions 3.08.00 and later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • January 7, 2025: Initial Publication

 Read More

Nedap Librix Ecoreader

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Nedap Librix
Equipment: Ecoreader
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION
Successful exploitation of this vulnerability could result in remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Ecoreader are affected:

Ecoreader: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The affected product is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code.
CVE-2024-12757 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2024-12757. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Netherlands

3.4 RESEARCHER
Prajitesh Singh of Cyble reported this vulnerability to CISA.
4. MITIGATIONS
Nedap Librix did not respond to our attempts to coordinate with them.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

January 07, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Nedap Librix
  • Equipment: Ecoreader
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Ecoreader are affected:

  • Ecoreader: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code.

CVE-2024-12757 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-12757. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Netherlands

3.4 RESEARCHER

Prajitesh Singh of Cyble reported this vulnerability to CISA.

4. MITIGATIONS

Nedap Librix did not respond to our attempts to coordinate with them.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • January 07, 2025: Initial Publication

 Read More

Scroll to Top