Infinite Automation Systems Mango Automation Vulnerabilities (Update A)

Infinite Automation Systems Mango Automation versions 2.5.0 through 2.6.0 contain multiple vulnerabilities allowing authenticated attackers to upload arbitrary files (CWE-434), execute operating system commands (CWE-78), read sensitive information (CWE-215), inject SQL queries (CWE-89), bypass access controls (CWE-352), inject malicious scripts into web pages (CWE-79), and infer timing information to enumerate user data (CWE-204). A malicious user or an attacker who has compromised a low-privileged account can exploit these issues to gain complete control of the Mango Automation server, alter automation rules, manipulate sensor data, or disable monitoring systems.

CISA recommends users take defensive measures to minimize the risk of exploitation.