Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Vulnerabilities

Low RiskICS-CERT ICSA-15-085-01Dec 27, 2015

Summary

InduSoft Web Studio and InTouch Machine Edition 2014 contain multiple authentication and credential management vulnerabilities (CWE-798, CWE-287, CWE-319) that allow unauthenticated remote attackers to gain administrative access to the HMI web interface. The affected versions 7.1.3.2 and earlier have hardcoded credentials and transmit credentials without encryption. No vendor patch is available; users are advised to implement compensating network controls and restrict access to these systems.

What this means

What could happen

An attacker with network access to InduSoft Web Studio or InTouch Machine Edition could gain unauthorized control over the HMI/SCADA interface, potentially altering process setpoints, disabling alarms, or stopping critical operations in power generation and distribution systems.

Who's at risk

Energy sector organizations using Schneider Electric InduSoft Web Studio or AVEVA InTouch Machine Edition 2014 for HMI/SCADA operator interfaces in generation, transmission, and distribution control centers. This affects any operator console or engineering workstation running these versions that communicates with PLCs, RTUs, or other industrial control devices.

How it could be exploited

An attacker on the same network as the HMI workstation could exploit hardcoded credentials or weak authentication mechanisms in the web interface to gain administrative access without valid credentials, then issue commands to connected industrial devices or modify operator screens and logic.

Prerequisites

Network access to the HMI web interface (port 80/443 or configured application port)
HMI application running InduSoft Web Studio or InTouch Machine Edition 2014 version 7.1.3.2 or earlier
No additional credentials required (hardcoded or default credentials present)

No authentication required (hardcoded credentials)No patch availableRemotely exploitableAffects safety and operational systemsUnencrypted credential transmission (CWE-319)

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

InduSoft Web Studio: <=7.1.3.2≤ 7.1.3.2No fix (EOL)

InTouch Machine Edition 2014: <=7.1.3.2≤ 7.1.3.2No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate InduSoft Web Studio and InTouch Machine Edition 2014 systems from untrusted networks using air-gapping, DMZ, or strict firewall rules that limit inbound access to known engineering workstations only

WORKAROUNDDisable the web interface if not actively used for remote monitoring; use only local HMI access or dedicated engineering tools

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to restrict communication between the HMI and production devices to a dedicated industrial control network

HARDENINGDeploy intrusion detection rules to monitor for unauthorized authentication attempts to HMI interfaces

Long-term hardening

0/1

HOTFIXPlan upgrade to InduSoft Web Studio or InTouch versions later than 7.1.3.2 when available from vendor or consider migration to supported AVEVA products

CVEs (4)

CVE-2015-0996 CVE-2015-0997 CVE-2015-0998 CVE-2015-0999

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e10a07fe-00f5-469e-87d1-e92251a2e8ec