Exemys Web Server Bypass Vulnerability

Plan Patch8.6ICS-CERT ICSA-15-321-01Aug 20, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Exemys Telemetry Web Server contains an authentication bypass vulnerability (CWE-592: Empty Password in Login). An attacker on the network can bypass login controls and gain unauthorized access to telemetry data, system configuration, and other sensitive information. The vulnerability affects all versions of the Exemys Telemetry Web Server. The vendor has not planned a fix.

What this means

What could happen

An attacker with network access can bypass authentication on the Exemys Web Server and read sensitive data like telemetry information or system configuration without entering valid credentials.

Who's at risk

Water authorities, municipal utilities, and other operators relying on Exemys Telemetry Web Server for remote monitoring of SCADA systems, water quality sensors, or power distribution equipment. Any organization using Exemys for telemetry collection in OT environments should be concerned.

How it could be exploited

An attacker on the network sends a specially crafted request to the Exemys Telemetry Web Server that bypasses the authentication check (CWE-592: Empty Password in Login). Once authentication is bypassed, the attacker can access telemetry data and other information normally restricted to authenticated users.

Prerequisites

Network access to the Exemys Telemetry Web Server (typically port 80 or 443)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexityNo patch availableAffects monitoring and telemetry systems

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Exemys Telemetry Web Server: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the Exemys Web Server using a firewall—only allow connections from trusted engineering workstations and monitoring systems

WORKAROUNDDisable or isolate the Exemys Web Server if it is not actively required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor access logs for the Exemys Web Server for suspicious authentication patterns or unauthenticated data access

Mitigations - no patch available

0/1

Exemys Telemetry Web Server: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to place telemetry servers on a restricted VLAN separate from general IT networks

CVEs (1)

CVE-2015-7910

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a553cd1-6f7e-4e3e-97ff-b99e29d16ad5