Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of March 19 - 25. Sign up to get these updates right to your inbox!
SAUTER EY-modulo 5 Building Automation Stations contain cross-site scripting, cleartext transmission of sensitive information and unrestricted upload of file with dangerous type vulnerabilities that can lead to privilege escalation, unauthorized execution of actions or a denial-of-service condition.
Schneider Electric IGSS contains missing authentication for critical function, insufficient verification of data authenticity, deserialization of untrusted data and more vulnerabilities that can result in a denial-of-service condition, as well as modification of dashboards or report files in the IGSS Report folder.
Sources: CISA, Schneider Electric
ProPump and Controls Osprey Pump Controller contains insufficient entropy, use of hard-coded password, OS command injection and more vulnerabilities that could allow an attacker to gain unauthorized access, retrieve sensitive information, modify data or cause a denial-of-service condition.
Sources: CISA, Pro Pump and Controls
Delta Electronics InfraSuite Device Master contains path traversal, improper authentication, command injection and more vulnerabilities that could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges and remotely execute arbitrary code.
Sources: CISA, Delta Electronics
Rockwell Automation ThinManager contains path traversal and heap-based buffer overflow vulnerabilities that could allow an attacker to potentially perform remote code execution on the target system/device or crash the software.
Sources: CISA, Rockwell Automation
Hitachi Energy GMS600, PWC600 and Relion contain an improper access controls vulnerability that could allow an attacker with user credentials to bypass security controls enforced by the product.
Sources: CISA, Hitachi Energy
