Emerson AMS Device Manager SQL Injection Vulnerability
Low RiskICS-CERT ICSA-15-111-01Jan 22, 2015
Summary
AMS Device Manager versions 12.5 and earlier contain a SQL injection vulnerability (CWE-89) that could allow an attacker to manipulate SQL queries executed by the application.
What this means
What could happen
An attacker could inject malicious SQL commands through the application, potentially allowing unauthorized access to the device database, modification of device configurations, or disruption of AMS management operations.
Who's at risk
Emerson AMS Device Manager users in oil, gas, refining, chemical, and power generation facilities should review this vulnerability. AMS Device Manager is used to manage intelligent instruments and control system devices; compromise could lead to unauthorized changes to process device configurations.
How it could be exploited
An attacker would need to send a specially crafted SQL injection payload to AMS Device Manager, likely through an input field or API endpoint that constructs SQL queries. Successful injection could allow reading or modifying stored device data, credentials, or configuration parameters.
Prerequisites
- Network access to AMS Device Manager web interface or API
- Knowledge of the SQL query structure used by the application
- Ability to interact with input fields or endpoints that feed into SQL queries
SQL injection vulnerabilityNo patch available from vendorRemotely exploitable if AMS Device Manager is network-accessibleCould allow database manipulation and unauthorized device configuration changes
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
AMS Device Manager: <=V12.5≤ V12.5No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to AMS Device Manager to authorized engineering workstations only using firewall rules
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade AMS Device Manager to a version newer than 12.5 if available from Emerson
Mitigations - no patch available
0/2AMS Device Manager: <=V12.5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate AMS Device Manager from untrusted networks
HARDENINGMonitor AMS Device Manager logs for SQL error messages or unusual database query patterns that may indicate exploitation attempts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/db36ef82-39ec-4d0c-bb52-fed453caab51