WellinTech KingView 6.53 KVWebSvr ActiveX

Act NowCVSS 9.8ICS-CERT ICSA-11-074-01Dec 16, 2011

WellinTech

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WellinTech KingView version 6.53 contains a buffer overflow vulnerability in the KVWebSvr ActiveX control component. The vulnerability is caused by improper bounds checking, allowing an attacker to exceed allocated memory boundaries. The flaw permits remote, unauthenticated code execution with high severity (CVSS 9.8) when a user with KingView installed accesses a malicious web page or document containing a specially crafted ActiveX control. The affected product is end-of-life with no vendor patch available.

What this means

What could happen

An attacker with network access could execute arbitrary code on a KingView 6.53 engineering workstation or server through a malicious ActiveX control, potentially gaining full control over the system and any connected industrial processes.

Who's at risk

This vulnerability affects any organization using WellinTech KingView 6.53 as their HMI/SCADA engineering workstation or web server, particularly water utilities, electric utilities, and other industrial facilities that rely on KingView for real-time monitoring and control of critical processes.

How it could be exploited

An attacker crafts a malicious web page or document containing a specially crafted ActiveX control that exploits the buffer overflow vulnerability in KVWebSvr. When an engineer opens the page or document in a browser on a system running KingView 6.53, the ActiveX control is loaded and executed without user consent or awareness, allowing code execution in the security context of the logged-in user.

Prerequisites

Network access to the engineering workstation or server running KingView 6.53
Victim must browse to attacker-controlled web page or open malicious document in a browser with ActiveX support
KingView 6.53 with vulnerable KVWebSvr component must be installed

remotely exploitableno authentication requiredlow complexityhigh EPSS score (33.2%)no patch availableaffects industrial control and monitoring systems

Exploitability

Likely to be exploited — EPSS score 32.4%

Affected products (1)

ProductAffected VersionsFix Status

WellinTech KingView: V6.53V6.53No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDImplement firewall rules to restrict web browsing on engineering workstations running KingView to only approved, trusted sites

HARDENINGDisable ActiveX in web browsers on all engineering workstations, or restrict it to trusted sites only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to a newer version of KingView that is supported and patched, or migrate to an alternative HMI/SCADA platform with active vendor support

Mitigations - no patch available

0/1

WellinTech KingView: V6.53 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate KingView engineering workstations on a separate network segment with restricted internet access

CVEs (1)

CVE-2011-3142

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/750b67d2-dde9-4900-bb38-098dc2b813fe

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.