OTPulse
FeedAboutContact

ScadaTEC ScadaPhone & Modbus TagServer Buffer Overflow Vulnerability

Act NowICS-CERT ICSA-11-362-01Sep 30, 2011
Summary

ScadaPhone versions ≤V5.3.11.1230 and Modbus TagServer versions ≤V4.1.1.81 contain a buffer overflow vulnerability (CWE-119) that could allow remote code execution. The vendor has not released a patch. ScadaPhone is used for SCADA remote access and communications; Modbus TagServer is used for Modbus-TCP protocol bridging and real-time data tagging in SCADA environments. Exploitation requires network access to the affected applications.

What this means
What could happen
A buffer overflow in ScadaPhone or Modbus TagServer could allow an attacker to run arbitrary code on the device, potentially disrupting process monitoring, alarming, or data collection in your SCADA network.
Who's at risk
Any energy utility, water authority, or critical infrastructure facility running ScadaPhone for remote SCADA communications or Modbus TagServer for Modbus-TCP gateway or tag management. This includes control engineers, operators, and IT staff responsible for SCADA system maintenance.
How it could be exploited
An attacker on the network sends a specially crafted packet or request to ScadaPhone or Modbus TagServer that overflows a memory buffer. This allows the attacker to inject and execute arbitrary code with the privileges of the affected application.
Prerequisites
  • Network access to ScadaPhone or Modbus TagServer port (specific port not disclosed)
  • ScadaPhone version ≤V5.3.11.1230 or Modbus TagServer version ≤V4.1.1.81 running
no patch availablehigh EPSS score (78%)remotely exploitableaffects SCADA network monitoring and data collectionbuffer overflow allows arbitrary code execution
Exploitability
High exploit probability (EPSS 78.0%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
ScadaPhone: <=V5.3.11.1230≤ V5.3.11.1230No fix yet
ModbusTagServer: <=V4.1.1.81≤ V4.1.1.81No fix yet
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate ScadaPhone and Modbus TagServer from untrusted networks using a firewall or air-gap
WORKAROUNDRestrict network access to ScadaPhone and Modbus TagServer to only authorized engineering workstations and control systems
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network monitoring to detect unexpected connections or data flows to ScadaPhone and Modbus TagServer
Long-term hardening
0/1
HOTFIXMonitor for any available patches or updates from vendor (ScadaTEC); contact vendor for security update timeline
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/595e5f3a-ded8-490d-9c59-97f43608f138