A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system.
The vulnerability results from improperly configured permissions to file system resources (CWE-732 — Incorrect Permission Assignment for Critical Resource). Under certain conditions, an unauthenticated remote attacker can gain access to protected file system resources and perform unauthorized actions on them. The lack of authentication requirements, user interaction, and low attack condition requirements (AC:L, AT:N, PR:N, UI:N) make the vulnerability exceptionally easy to exploit.
An attacker can compromise the confidentiality, integrity, and availability of the system through unauthorized reading, modification, or deletion of files — including potentially critical process data and industrial system configuration data. Due to the high impact on both the local system and dependent systems (SC:H, SI:H, SA:H), the consequences may include disruption of industrial facility operations.
Patches available from the manufacturer should be applied in accordance with the references — detailed information about patched versions is available in the CISA ICS-CERT advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01
ibaPDA software — versions indicated in manufacturer references (ICS-CERT advisory ICSA-26-027-01)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X