Security News > 2023 > April > CISA Warns of Critical ICS Flaws in Hitachi, mySCADA, ICL, and Nexx Products
The U.S. Cybersecurity and Infrastructure Security Agency has published eight Industrial Control Systems advisories warning of critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx.
Topping the list is CVE-2022-3682, impacting Hitachi Energy's MicroSCADA System Data Manager SDM600 that could allow an attacker to take remote control of the product.
Hitachi Energy has released SDM600 1.3.0.1339 to mitigate the issue for SDM600 versions prior to version 1.2 FP3 HF4. Another set of five critical vulnerabilities - CVE-2023-28400, CVE-2023-28716, CVE-2023-28384, CVE-2023-29169, and CVE-2023-29150 - relate to command injection bugs present in mySCADA myPRO versions 8.26.0 and prior.
"Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands," CISA warned, urging users to update to version 8.29.0 or higher.
A critical security bug has also been disclosed in Industrial Control Links ScadaFlex II SCADA Controllers that could allow an authenticated attacker to overwrite, delete, or create files.
Rounding off the list are five shortcomings, including one critical bug, impacting garage door controllers, smart plugs, and smart alarms sold by Nexx.
News URL
https://thehackernews.com/2023/04/cisa-warns-of-critical-ics-flaws-in.html
Related news
- CISA warns critical SolarWinds RCE bug is exploited in attacks (source)
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports (source)
- SANS Institute Unveils Critical Infrastructure Strategy Guide for 2024: A Call to Action for Securing ICS/OT Environments (source)
- CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-27 | CVE-2023-29169 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-04-27 | CVE-2023-29150 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-04-27 | CVE-2023-28716 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-04-27 | CVE-2023-28400 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-04-27 | CVE-2023-28384 | OS Command Injection vulnerability in Myscada Mypro mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | 8.8 |
| 2023-03-28 | CVE-2022-3682 | Unrestricted Upload of File with Dangerous Type vulnerability in Hitachienergy Sdm600 A vulnerability exists in the SDM600 file permission validation. | 8.8 |