Measuresoft ScadaPro Vulnerabilities

Act NowICS-CERT ICSA-11-263-01Jun 23, 2011

Summary

Measuresoft ScadaPro versions 4.0.0.0 and earlier contain multiple vulnerabilities: buffer overflow (CWE-119), path traversal (CWE-22), improper input validation (CWE-20), and information disclosure (CWE-200). These flaws allow remote attackers to execute arbitrary code, read unauthorized files, or crash the application. No vendor patch is available.

What this means

What could happen

An attacker with network access to ScadaPro could execute arbitrary code, read sensitive files, bypass input validation, or access unauthorized information. This could allow modification of process parameters, disruption of SCADA operations, or theft of system configuration data.

Who's at risk

Energy sector operators and utilities running ScadaPro 4.0.0.0 or earlier for SCADA monitoring and control should care. This includes power generation facilities, distribution control centers, and any critical infrastructure using this legacy software to monitor or control industrial processes.

How it could be exploited

An attacker sends a specially crafted network request to ScadaPro that exploits one of the input validation or buffer overflow vulnerabilities (CWE-119, CWE-20). If successful, the attacker gains the ability to execute arbitrary code on the SCADA server, potentially alter setpoints or halt operations. Alternatively, the attacker could abuse path traversal (CWE-22) to read sensitive files like configuration or credential storage.

Prerequisites

Network access to ScadaPro listening ports
ScadaPro version 4.0.0.0 or earlier installed and running

remotely exploitableno patch availablehigh EPSS score (72.3%)buffer overflow and input validation flawspath traversal vulnerabilityinformation disclosure risk

Exploitability

High exploit probability (EPSS 72.3%)

Affected products (1)

ProductAffected VersionsFix Status

ScadaPro: <=4.0.0.0≤ 4.0.0.0No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGIsolate or air-gap ScadaPro systems from untrusted networks. Restrict network access to ScadaPro to authorized engineering workstations and control systems only.

HARDENINGImplement network-level filtering and firewall rules to block external access to ScadaPro ports. Log and monitor all connections to the system.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXEvaluate upgrade path to a patched version if available from vendor, or plan system replacement if end-of-life.

CVEs (4)

CVE-2011-3490 CVE-2011-3495 CVE-2011-3496 CVE-2011-3497

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/047b8be9-ab82-40c1-8ed0-5c2653b0e6b7