A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.
The vulnerability results from insufficient input data validation in the module processing SYS600 system queries. An attacker possessing valid credentials can formulate a malicious query containing injected content that will be written into the system's persistent data (CWE-943 β improper neutralization of special elements in data query logic). Due to the network vector (AV:N) and lack of user interaction requirement (UI:N), the attack can be conducted remotely without additional hindrances after gaining access to an account.
Successful exploitation of the vulnerability allows an attacker to inject malicious code into persistent SCADA system data, which may lead to complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) β potentially including resources beyond the direct application context.
Apply patches available from the vendor in accordance with references (Hitachi Energy publication, document ID 8DBD000160). Additionally, it is recommended to restrict access to the SYS600 system exclusively to trusted users and to monitor attempts of unauthorized access and anomalous queries.
Hitachi Energy products MicroSCADA Pro SYS600 and MicroSCADA X SYS600 β specific versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HHitachienergy Microscada Pro Sys600
APPHitachienergy9.4Hitachienergy Microscada X Sys600
APPHitachienergy10.0 β 10.6 (bez)
Related vulnerabilities
Path Traversal w MicroSCADA Pro/X SYS600 β dostΔp do plikΓ³w systemowych
ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE-306: Missing Authentication for Critical...
A vulnerability exists in the IEC 61850 of the MicroSCADA X SYS600 product. An IEC 61850-8 crafted message con...
A vulnerability exists in in the Monitor Pro interface of the MicroSCADA X SYS600 product. An authenticated us...
A vulnerability exists in the Web interface of the MicroSCADA X SYS600 product. The filtering query in the Web...