The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about eight critical flaws in industrial control systems (ICS) affecting products from Nexx, Hitachi Energy, Industrial Control Links, and mySCADA Technologies.
The most severe vulnerability, CVE-2022-3682, has a CVSS score of 9.9 and could allow attackers to gain remote control of Hitachi Energy’s MicroSCADA System Data Manager SDM600. The flaw is caused by a problem with file permission validation that permits attackers to upload a specially crafted message to the system, leading to arbitrary code execution. Hitachi Energy has released a patch to address the issue.
MySCADA myPRO versions 8.26.0 and earlier are also affected by five critical vulnerabilities related to command injection bugs, which could allow authenticated users to inject arbitrary operating system commands.
CISA has recommended that users update to version 8.29.0 or higher to mitigate the risks.
Industrial Control Links ScadaFlex II SCADA Controllers have also been affected by a critical security flaw that could allow authenticated attackers to create, delete or overwrite files.
Industrial Control Links has reportedly gone out of business, and users are advised to minimize network exposure, isolate control system networks from business networks and place them behind firewalls.
Lastly, Nexx’s smart home devices, including garage door controllers, smart plugs, and smart alarms, have also been affected by five vulnerabilities, one of which is critical.
Security researcher Sam Sabetan discovered and reported the issues, which could enable attackers to crack open home garage doors, take over smart plugs and gain remote control of smart alarms.
Users of the affected Nexx devices are advised to update their firmware to mitigate the risks.
