Security News > 2023 > April > CISA Warns of Critical ICS Flaws in Hitachi, mySCADA, ICL, and Nexx Products
The U.S. Cybersecurity and Infrastructure Security Agency has published eight Industrial Control Systems advisories warning of critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx.
Topping the list is CVE-2022-3682, impacting Hitachi Energy's MicroSCADA System Data Manager SDM600 that could allow an attacker to take remote control of the product.
Hitachi Energy has released SDM600 1.3.0.1339 to mitigate the issue for SDM600 versions prior to version 1.2 FP3 HF4. Another set of five critical vulnerabilities - CVE-2023-28400, CVE-2023-28716, CVE-2023-28384, CVE-2023-29169, and CVE-2023-29150 - relate to command injection bugs present in mySCADA myPRO versions 8.26.0 and prior.
"Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands," CISA warned, urging users to update to version 8.29.0 or higher.
A critical security bug has also been disclosed in Industrial Control Links ScadaFlex II SCADA Controllers that could allow an authenticated attacker to overwrite, delete, or create files.
Rounding off the list are five shortcomings, including one critical bug, impacting garage door controllers, smart plugs, and smart alarms sold by Nexx.
News URL
https://thehackernews.com/2023/04/cisa-warns-of-critical-ics-flaws-in.html
Related news
- CISA: Network switch RCE flaw impacts critical infrastructure (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame (source)
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-27 | CVE-2023-29169 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-04-27 | CVE-2023-29150 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-04-27 | CVE-2023-28716 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-04-27 | CVE-2023-28400 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-04-27 | CVE-2023-28384 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-03-28 | CVE-2022-3682 | Unrestricted Upload of File with Dangerous Type vulnerability in Hitachienergy Sdm600 A vulnerability exists in the SDM600 file permission validation. | 8.8 |