ScadaTEC ScadaPhone & Modbus TagServer Buffer Overflow Vulnerability

Act NowICS-CERT ICSA-11-362-01Sep 30, 2011

Energy

Summary

ScadaPhone version 5.3.11.1230 and earlier, and ModbusTagServer version 4.1.1.81 and earlier, contain a buffer overflow vulnerability (CWE-119) that could allow remote code execution. The vulnerability affects SCADA systems used in energy sector operations.

What this means

What could happen

An attacker could exploit a buffer overflow in ScadaPhone or ModbusTagServer to execute arbitrary code on the affected system, potentially disrupting SCADA operations or allowing unauthorized control of energy infrastructure.

Who's at risk

Energy utilities and critical infrastructure operators running ScadaPhone or ModbusTagServer for supervisory control and data acquisition are affected. ScadaPhone may be used for remote communication with field devices; ModbusTagServer bridges data between Modbus devices and SCADA systems. Both are essential components in energy distribution and grid management.

How it could be exploited

An attacker with network access to ScadaPhone or ModbusTagServer could send a specially crafted input (such as an oversized Modbus request or command) that triggers a buffer overflow, allowing arbitrary code execution on the host system.

Prerequisites

Network access to ScadaPhone (port unspecified) or ModbusTagServer Modbus protocol port
No authentication required to trigger the buffer overflow

remotely exploitableno authentication requiredno patch availablehigh EPSS score (78%)affects critical SCADA infrastructure

Exploitability

Likely to be exploited — EPSS score 78.0%

Metasploit module available — weaponized exploitView module ↗

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

ScadaPhone: <=V5.3.11.1230≤ V5.3.11.1230No fix (EOL)

ModbusTagServer: <=V4.1.1.81≤ V4.1.1.81No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate ScadaPhone and ModbusTagServer systems from untrusted networks using firewall rules; restrict inbound access to only authorized SCADA networks and engineering workstations

HARDENINGMonitor and restrict outbound connections from ScadaPhone and ModbusTagServer to known-good command and control IPs; implement network segmentation to limit lateral movement if systems are compromised

WORKAROUNDImplement input validation and rate-limiting on Modbus protocol traffic to ScadaPhone and ModbusTagServer if network appliances support it

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ScadaPhone: <=V5.3.11.1230, ModbusTagServer: <=V4.1.1.81. Apply the following compensating controls:

HARDENINGEstablish vendor contact plan to obtain patches when available; review vendor advisories regularly for security updates

CVEs (1)

CVE-2011-4535

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/595e5f3a-ded8-490d-9c59-97f43608f138

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.