Security News > 2023 > March > CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems
The U.S. Cybersecurity and Infrastructure Security Agency has released eight Industrial Control Systems advisories on Tuesday, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation.
"Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code," CISA said.
Top of the list is CVE-2023-1133, a critical flaw that arises from the fact that InfraSuite Device Master accepts unverified UDP packets and deserializes the content, thereby allowing an unauthenticated remote attacker to execute arbitrary code.
Piotr Bazydlo and an anonymous security researcher have been credited with discovering and reporting the shortcomings to CISA. Another set of vulnerabilities relates to Rockwell Automation's ThinManager ThinServer and affects the following versions of the thin client and remote desktop protocol server management software -.
"Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software," CISA noted.
The disclosure arrives more than six months after CISA alerted of a high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer that could result in arbitrary remote code execution.
News URL
https://thehackernews.com/2023/03/cisa-alerts-on-critical-security.html
Related news
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation (source)
- The ongoing evolution of the CIS Critical Security Controls (source)
- SAP fixes critical vulnerabilities in NetWeaver application servers (source)
- Critical vulnerabilities remain unresolved due to prioritization gaps (source)
- Critical SimpleHelp vulnerabilities fixed, update your server instances! (source)
- CISA Adds Five-Year-Old jQuery XSS Flaw to Exploited Vulnerabilities List (source)
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution (source)
- CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-27 | CVE-2023-1133 | Deserialization of Untrusted Data vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. | 9.8 |