CRITICALπŸ‡΅πŸ‡± Wersja polska

CVE-2024-4872

CVSS 9.9v3.1pub. 2024-08-27upd. 2024-10-30

A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.

πŸ€– AI Analysis
How it works

The vulnerability results from insufficient input data validation in the module processing SYS600 system queries. An attacker possessing valid credentials can formulate a malicious query containing injected content that will be written into the system's persistent data (CWE-943 β€” improper neutralization of special elements in data query logic). Due to the network vector (AV:N) and lack of user interaction requirement (UI:N), the attack can be conducted remotely without additional hindrances after gaining access to an account.

Impact

Successful exploitation of the vulnerability allows an attacker to inject malicious code into persistent SCADA system data, which may lead to complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) β€” potentially including resources beyond the direct application context.

Mitigation & patch

Apply patches available from the vendor in accordance with references (Hitachi Energy publication, document ID 8DBD000160). Additionally, it is recommended to restrict access to the SYS600 system exclusively to trusted users and to monitor attempts of unauthorized access and anomalous queries.

Who is affected

Hitachi Energy products MicroSCADA Pro SYS600 and MicroSCADA X SYS600 β€” specific versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Hitachienergy Microscada Pro Sys600

    APP
    Hitachienergy
    9.4
  • Hitachienergy Microscada X Sys600

    APP
    Hitachienergy
    10.0 – 10.6 (bez)
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-3980CRITICAL9.9PL βœ“ten sam produkt

Path Traversal w MicroSCADA Pro/X SYS600 β€” dostΔ™p do plikΓ³w systemowych

CVE-2019-5620CRITICAL9.8ten sam produkt

ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE-306: Missing Authentication for Critical...

CVE-2025-39203HIGH7.1ten sam produkt

A vulnerability exists in the IEC 61850 of the MicroSCADA X SYS600 product. An IEC 61850-8 crafted message con...

CVE-2025-39202HIGH8.3ten sam produkt

A vulnerability exists in in the Monitor Pro interface of the MicroSCADA X SYS600 product. An authenticated us...

CVE-2025-39204HIGH8.5ten sam produkt

A vulnerability exists in the Web interface of the MicroSCADA X SYS600 product. The filtering query in the Web...

CVE-2024-4872 β€” Hitachienergy β€” Microscada Pro Sys600 β€” CRITICAL β€” CVSS 9.9 | CVEbaza.pl