Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of February 5 - 11. Sign up to get these updates right to your inbox!
Control by Web X-400, X-600M contain cross-site scripting and code injection vulnerabilities that can allow threat actors to inject malicious code remotely.
Sources: CISA, Control by Web
LS ELECTRIC XBC-DN32U contains missing authentication for critical function, improper access control, cleartext transmission of sensitive information and more vulnerabilities that can lead to an attacker stealing programmable logic controller (PLC) information, causing communication issues with a PLC, causing a denial of service condition and more.
Sources: CISA, LS Electric
Johnson Controls System Configuration Tool (SCT) contains sensitive cookie without ‘HttpOnly’ flag and sensitive cookie in HTTPS session without 'secure' attribute vulnerabilities that can allow an attacker access to user cookies and to take control of a session.
Sources: CISA, Johnson Controls
Horner Automation Cscape Envision RV contains an out of bounds read and out of bounds write vulnerability that can lead to an attacker executing arbitrary code.
Sources: CISA, Horner Automation
Omron SYSMAC CS/CJ/CP Series and NJ/NX Series (Update A) contains cleartext transmission of sensitive information, insufficient verification of data authenticity and plaintext storage of a password vulnerabilities that can lead to a denial-of-service condition and result in remote execution.
