The US Cybersecurity and Infrastructure Agency (CISA) has published eight Industrial Control Systems (ICS) advisory alerts about critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx.
Topping the list is CVE-2022-3682 (CVSS score: 9.9), impacted Hitachi Energy’s MicroSCADA System Data Manager SDM600 which allowed an attacker to take remote control of the product.
The flaw stems from issues with file permission validation, allowing adversaries to upload specially crafted messages to the system, leading to arbitrary code execution.
Hitachi Energy has released SDM600 184.108.40.2069 to reduce issue for SDM600 versions prior to 1.2 FP3 HF4 (Build No. 1.2.23000.291).
Another set of five critical vulnerabilities – CVE-2023-28400, CVE-2023-28716, CVE-2023-28384, CVE-2023-29169And CVE-2023-29150 (CVSS Score: 9.9) – related to a command injection bug present in mySCADA myPRO version 8.26.0 and earlier.
“Successful exploitation of this vulnerability could allow authenticated users to inject arbitrary operating system commands,” CISA warned, urging users to update to version 8.29.0 or higher.
A critical security bug has also been disclosed in Industrial Control Links ScadaFlex II SCADA Controllers (CVE-2022-25359CVSS score: 9.1) that allows an authenticated attacker to overwrite, delete, or create files.
“Industrial Control Links have communicated that they are closing their business,” the agency said. “This product may be considered end of life; ongoing support for this product may not be available.”
Users are advised to minimize network exposure, isolate the control system network from the business network, and place it behind a firewall to address potential risks.
Ending the list are five unpatched bugs, including one critical bug (CVE-2023-1748CVSS score: 9.3), affects garage door controllers, smart plugs and smart alarms sold by Nexx.
A vulnerability that could allow a threat actor to open a home’s garage door, take over a smart plug, and gain remote control of a smart alarm, according to security researchers Sam Sabetanwho found and reported the problem.
The following versions of Nexx smart home devices are affected –
- Nexx Garage Door Controllers (NXG-100B, NXG-200) – Versions nxg200v-p3-4-1 and earlier
- Nexx Smart Plug (NXPG-100W) – Version nxpg100cv4-0-0 and earlier
- Nexx Smart Alarm (NXAL-100) – Versions nxal100v-p1-9-1and earlier
“Successful exploitation of this vulnerability could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or hijack a device,” CISA said.