Resource Data Management Privilege Escalation Vulnerability

Plan Patch8.8ICS-CERT ICSA-15-265-01Jun 25, 2015

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Resource Data Management systems prior to version 2.2 contain a privilege escalation vulnerability (CWE-269, CWE-352) that allows authenticated users with standard credentials to gain administrator-level access. An attacker exploiting this flaw could access, modify, or delete critical operational data and audit logs. The vulnerability affects all versions prior to 2.2.

What this means

What could happen

An attacker with engineering workstation credentials could escalate privileges on the Data Manager system and gain full control, allowing them to alter or delete historical data, modify operational records, or disrupt data logging that operators rely on for process monitoring.

Who's at risk

Water authorities and electric utilities using the Resource Data Manager (version 2.2 or earlier) to store operational data, SCADA history, or process logs. This includes facilities that rely on the system for data integrity verification, compliance reporting, or operational audits.

How it could be exploited

An attacker with valid engineering credentials logs into the Data Manager system and exploits improper privilege handling (CWE-269) or cross-site request forgery (CWE-352) to escalate from a standard user account to an administrator account. From there, they can modify any data stored in the system or add themselves persistent access.

Prerequisites

Valid engineering workstation credentials for Data Manager access
Network access to the Data Manager system
Ability to interact with the management interface or API

High CVSS score (8.8)Requires valid credentials but allows privilege escalationNo patch availableAffects data integrity and audit trails

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Data Manager: <2.2<2.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the Data Manager system to only authorized engineering workstations using firewall rules or network segmentation

HARDENINGEnforce strong, unique credentials for all Data Manager accounts and disable any default or shared accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Data Manager logs for unusual privilege escalation or administrative account activity

Mitigations - no patch available

0/1

Data Manager: <2.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement multi-factor authentication for Data Manager access if available

CVEs (2)

CVE-2015-6470 CVE-2015-6468

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4b521753-1e65-49e0-91cd-9488ce04d5b2