OTPulse

Bash Command Injection Vulnerability

Act NowICS-CERT ICSA-14-269-01AJun 29, 2014
SiemensABBMoxaEnergy
Summary

Bash command injection vulnerability across multiple industrial routers, SCADA systems, and network devices. Attackers can inject arbitrary shell commands into affected devices through management interfaces (CLI, web, or API endpoints) that do not properly sanitize user input. Vulnerable products include Siemens ROX 1 and 2 (redundancy controllers), ABB Tropos 3000–7000 series routers, ABB Ventyx EMS/SCADA, Meinberg LANTIME time servers, Moxa Linux computers, and Red Lion Sixnet/RAM industrial gateways. All versions are affected and no patches have been released by any vendor.

What this means
What could happen
An attacker with network access to affected routers and SCADA systems could run arbitrary bash commands with system privileges, enabling them to alter operational setpoints, disable monitoring, or shut down critical energy infrastructure.
Who's at risk
Energy utilities operating Siemens ROX redundancy controllers, ABB Tropos industrial routers, ABB Ventyx EMS/SCADA systems, Meinberg LANTIME network time servers, Moxa Linux computers, Red Lion Sixnet and RAM industrial gateways. Any organization managing remote power distribution, SCADA monitoring, or critical substation automation equipment should assess if these products are in use.
How it could be exploited
An attacker sends specially crafted input to a bash shell interface (typically command injection via management interface, CLI, or web API) on a vulnerable device. The device parses the input without proper sanitization and executes injected shell commands. No authentication may be required depending on device configuration.
Prerequisites
  • Network access to the device management interface or command-line service
  • Device must accept unsanitized user input that reaches a bash shell interpreter
  • Default or weak access controls on management interfaces
Actively exploited (KEV)High EPSS score (94.1%)Remotely exploitableNo patch available for any affected productAffects safety and operational systemsMay require no authentication depending on device configurationLow complexity attack vector
Exploitability
Actively exploited — confirmed by CISA KEV
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (9)
3 pending6 EOL
ProductAffected VersionsFix Status
Red Lion RAM 9000, RAM 6000, SN 6000 and M, A and R Series: vers:all/*All versionsNo fix yet
ABB Ventyx NM EMS/SCADA on RHEL Ventyx: vers:all/*All versionsNo fix (EOL)
Meinberg LANTIME: 4.x|5.x|6.x4.x|5.x|6.xNo fix (EOL)
Moxa Linux-based computers: vers:all/*All versionsNo fix (EOL)
Red Lion Sixnet BT-5000 and 6000 Series: vers:all/*All versionsNo fix (EOL)
Siemens ROX 1: <=V1.16.0≤ V1.16.0No fix (EOL)
Siemens ROX 2: <=V2.5.0≤ V2.5.0No fix yet
Siemens APE Linux with ELAN installed: V1.0V1.0No fix yet
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGIsolate affected routers and SCADA systems from untrusted networks using firewall rules—restrict access to management ports to authorized engineering workstations only
WORKAROUNDDisable remote management interfaces (SSH, telnet, HTTP admin portals) if not required; enable only from trusted networks via jump hosts or VPNs
HARDENINGImplement network segmentation to separate SCADA and router networks from general IT infrastructure and the internet
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGEnable logging and monitoring on all affected devices to detect suspicious command execution patterns
Long-term hardening
0/1
HOTFIXEvaluate replacement or vendor migration for products with no patch available, prioritizing ROX 1/2, Tropos routers, and Ventyx systems
View full CISA ICS-CERT advisory
API: /api/v1/advisories/547fba64-d1a2-48c1-adc5-e3580f944284

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.