InduSoft Web Studio Directory Traversal Vulnerability
Act NowICS-CERT ICSA-14-107-02Jan 18, 2014
Summary
InduSoft Web Studio 7.1 contains a directory traversal vulnerability that allows attackers to read arbitrary files from the system. The vulnerability exists in the web interface and could allow an unauthenticated attacker to traverse the file system and access sensitive files, configuration data, or system information.
What this means
What could happen
An attacker could read sensitive configuration files, system information, or credentials from the Web Studio server without authentication. This could lead to further compromise of the industrial control system or exposure of process configuration data.
Who's at risk
Water authorities and utility companies using InduSoft Web Studio 7.1 for SCADA/HMI systems should prioritize this issue. Web Studio is commonly used to monitor and control critical infrastructure like water distribution, wastewater treatment, and power systems. Any exposure of system files or credentials could compromise plant operations.
How it could be exploited
An attacker sends crafted HTTP requests with directory traversal sequences (e.g., ../) to the Web Studio web interface to escape the intended directory and read arbitrary files on the server. No authentication is required. The attacker could extract credentials, configuration files, or system data to plan further attacks.
Prerequisites
- Network access to the Web Studio web interface (typically TCP port 8080 or 80)
- No credentials required
remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (89.3%)no patch available
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
Web Studio: 7.17.1No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDImplement network-level access controls to restrict which systems can reach the Web Studio web interface; consider firewall rules limiting access to engineering workstations and operator stations only
WORKAROUNDDeploy a web application firewall (WAF) or reverse proxy with rules to block directory traversal attempts (patterns like ../ or encoded variants)
HARDENINGDisable the Web Studio web interface if not required for remote access; manage Web Studio exclusively through local connections or a restricted VPN
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor and log all HTTP requests to the Web Studio interface; alert on suspicious patterns including repeated 404s or requests containing ../ sequences
HOTFIXEvaluate migration to a patched version of InduSoft Web Studio or an alternative HMI/SCADA platform that receives security updates
Mitigations - no patch available
0/1Web Studio: 7.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment the network so Web Studio servers are on a separate zone with limited connectivity to critical control devices (PLCs, RTUs)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d0df01e6-1df0-472b-95a7-80347c4ea16d