Softing edgeConnector, released on March 14, 2024, has been identified with several critical vulnerabilities, including cleartext transmission of sensitive information and path traversal. These vulnerabilities, rated with a Common Vulnerability Scoring System (CVSS) v3 base score of 7.2 and 8.0, respectively, pose a low attack complexity but a high risk of remote code execution. The affected products, Softing edgeConnector and edgeAggregator version 3.60, are globally deployed in critical manufacturing sectors. The vulnerabilities were reported to CISA by researchers from STAR Labs SG Pte. Ltd. and Trend Micro Zero Day Initiative. Mitigating measures for these vulnerabilities include updating Softing edgeConnector and edgeAggregator to version 3.70 or higher and implementing defensive actions to minimize the risk of exploitation. CISA recommends control system devices to be isolated from the internet, located behind firewalls, and accessed through secure methods such as Virtual Private Networks (VPNs).
Organizations are urged to conduct impact analysis and risk assessment before deploying defensive measures and to follow recommended cybersecurity strategies for proactive defense of Industrial Control System (ICS) assets. Additionally, practices to avoid social engineering attacks and web vulnerabilities have been advised by CISA, emphasizing the importance of recognizing and avoiding suspicious activities to safeguard ICS assets.
