The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of eight critical flaws in industrial control systems (ICS) affecting products from Hitachi Energy, mySCADA Technologies, industrial control links, and Nexx. issued a recommendation.
Topping the list is CVE-2022-3682 (CVSS score: 9.9), which affects Hitachi Energy’s MicroSCADA System Data Manager SDM600 and may allow an attacker to remotely control the product.
The flaw is due to a file permission validation issue that could allow an adversary to upload a specially crafted message to the system, potentially resulting in arbitrary code execution.
Hitachi Energy has released SDM600 1.3.0.1339 to mitigate an issue with versions of SDM600 prior to version 1.2 FP3 HF4 (build number 1.2.23000.291).
Another set of five critical vulnerabilities – CVE-2023-28400, CVE-2023-28716, CVE-2023-28384, CVE-2023-29169, and CVE-2023-29150 (CVSS score: 9.9) – present mySCADA myPRO version 8.26.0 and earlier related to command injection bug.
“Successfully exploiting these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands,” CISA warned, urging users to update to version 8.29.0 or higher. I was.
Industrial Control Links ScadaFlex II SCADA Controllers (CVE-2022-25359, CVSS score: 9.1) also discloses a critical security bug that allows an authenticated attacker to overwrite, delete, or create files.
“Industrial Control Links has informed us that they are closing their business,” the agency said. “This product may be considered End of Life. Continued support for this product may not be available.”
Users are advised to minimize network exposure and keep control system networks separate from business networks and behind firewalls to address potential risks.
Rounding out the list are five shortcomings, including one critical bug (CVE-2023-1748, CVSS score: 9.3), affecting garage door controllers, smart plugs and smart alarms sold by Nexx .
According to security researcher Sam Sabetan, who discovered and reported the issue, a vulnerability that could allow an attacker to crack open your home’s garage door, hijack your smart plug, and gain remote control of your smart alarms. sex.
Learn How to Secure Your Identity Perimeter – A Proven Strategy
Improve your business security in our upcoming expert-led cybersecurity webinar: Exploring Identity Perimeter Strategies!
Don’t miss it – secure your seat!
The following versions of Nexx smart home devices are affected –
- Nexx Garage Door Controller (NXG-100B, NXG-200) – versions nxg200v-p3-4-1 and earlier
- Nexx Smart Plug (NXPG-100W) – version nxpg100cv4-0-0 and earlier
- Nexx Smart Alarm (NXAL-100) – version nxal100v-p1-9-1 and earlier
“Successfully exploiting these vulnerabilities could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or take over a device,” CISA said.
