CISA Warns of Critical ICS Flaws in Hitachi, mySCADA, ICL, and Nexx Products

07-04-2023
Share
CISA Warns of Critical ICS Flaws in Hitachi, mySCADA, ICL, and Nexx Products

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published eight Industrial Control Systems (ICS) advisories warning of critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx.

Topping the list is CVE-2022-3682 (CVSS score: 9.9), impacting Hitachi Energy’s MicroSCADA System Data Manager SDM600 that could allow an attacker to take remote control of the product.

The flaw stems from an issue with file permission validation, thereby permitting an adversary to upload a specially crafted message to the system, leading to arbitrary code execution.

“Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands,” CISA warned, urging users to update to version 8.29.0 or higher.

A critical security bug has also been disclosed in Industrial Control Links ScadaFlex II SCADA Controllers (CVE-2022-25359, CVSS score: 9.1) that could allow an authenticated attacker to overwrite, delete, or create files.

“Industrial Control Links has relayed that they are closing their business,” the agency said. “This product may be considered end-of-life; continued support for this product may be unavailable.”

The following versions of Nexx smart home devices are affected –

  • Nexx Garage Door Controller (NXG-100B, NXG-200) – Version nxg200v-p3-4-1 and prior
  • Nexx Smart Plug (NXPG-100W) – Version nxpg100cv4-0-0 and prior
  • Nexx Smart Alarm (NXAL-100) – Version nxal100v-p1-9-1and prior

“Successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or hijack devices,” CISA said.

 

Source: https://thehackernews.com/