A water pumping system made by ProPump and Controls has been found to have several vulnerabilities that could be exploited by hackers to cause significant problems. The Osprey Pump Controller is a product of the US-based company that specializes in pumping systems and automated controls for various applications, including municipal water and sewer, golf courses and turf irrigation, agricultural and industrial.
Furthermore, the security holes were discovered by Macedonian cybersecurity research firm Zero Science Lab, during an assessment of a client’s system, and were reported to the vendor, US Cybersecurity and Infrastructure Security Agency (CISA), and Carnegie Mellon University’s Vulnerability Information and Coordination Environment (VINCE), but the vendor has not responded, and the vulnerabilities remain unpatched.
At the same time, the vulnerabilities include remote code execution, authentication bypass, backdoor access, cross-site request forgery (CSRF), command injection, cross-site scripting (XSS), file disclosure, and session hijacking issues.
Some of these flaws can be exploited without authentication, and dozens of controllers are exposed on the internet, including in the client’s network assessed by Zero Science Lab. An attacker could exploit the vulnerabilities to remotely hack a system and take complete control of the device.
This could lead to a denial-of-service attack or various nefarious activities, depending on the targeted controller’s use.
Additionally, According to CISA, the Osprey Pump Controller is used worldwide in various industries. The agency has advised ProPump and Controls customers to contact the vendor to obtain information on any patches or mitigations.
The Zero Science Lab advisories reveal that CISA has assigned this incident a priority rating of ‘baseline – negligible,’ indicating that it’s “highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence”.
However, it is not uncommon for hackers to target water facilities, including in the United States, as CISA and other agencies warned in 2021 that ransomware had hit SCADA systems at three water facilities in the country