CRITICAL🇵🇱 Wersja polska

CVE-2024-3980

CVSS 9.9v3.1pub. 2024-08-27upd. 2024-10-30

The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

🤖 AI Analysis
How it works

The application does not sufficiently validate input data supplied by an authenticated user, which controls paths or file names used in file system operations (CWE-22). An attacker can craft input containing path traversal sequences (e.g., '../') to escape the allowed directory. As a result, access to arbitrary operating system files or application configuration files is possible.

Impact

An attacker with access to a user account can read or modify system files and files critical to SCADA application operation, which may result in confidentiality breach, data integrity violation, and in OT/ICS environments potentially disrupt industrial processes.

Mitigation & patch

Apply patches available from the manufacturer according to references (https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch). It is also recommended to restrict system access exclusively to trusted users and monitor operations on system files.

Who is affected

Hitachi Energy MicroSCADA Pro SYS600 and MicroSCADA X SYS600 — specific versions indicated in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Hitachienergy Microscada Pro Sys600

    APP
    Hitachienergy
    9.4
  • Hitachienergy Microscada X Sys600

    APP
    Hitachienergy
    10.0 – 10.6 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2024-4872CRITICAL9.9PL ✓ten sam produkt

Injection w walidacji zapytań MicroSCADA Pro/X SYS600 — nieautoryzowany zapis danych

CVE-2019-5620CRITICAL9.8ten sam produkt

ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE-306: Missing Authentication for Critical...

CVE-2025-39203HIGH7.1ten sam produkt

A vulnerability exists in the IEC 61850 of the MicroSCADA X SYS600 product. An IEC 61850-8 crafted message con...

CVE-2025-39202HIGH8.3ten sam produkt

A vulnerability exists in in the Monitor Pro interface of the MicroSCADA X SYS600 product. An authenticated us...

CVE-2025-39204HIGH8.5ten sam produkt

A vulnerability exists in the Web interface of the MicroSCADA X SYS600 product. The filtering query in the Web...