XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability

Act Now9.8ICS-CERT ICSA-15-342-01CSep 10, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Cross-site scripting (XSS) vulnerability in the XZERES 442SR Wind Turbine web management interface. An attacker can inject malicious JavaScript that executes in the browsers of engineers and operators accessing the turbine dashboard. The vulnerability affects all versions of the 442SR with no vendor patch available.

What this means

What could happen

An attacker could inject malicious scripts into the wind turbine web interface, gaining control over turbine operations or stealing sensitive configuration and monitoring data.

Who's at risk

Wind farm operators using XZERES 442SR turbines. This is critical for facilities managing distributed renewable energy generation or grid-connected wind assets where turbine monitoring and control are essential to operations.

How it could be exploited

An attacker sends a crafted HTTP request containing JavaScript code to the 442SR web interface. The code is stored and executed in the browsers of engineers or operators who access the management dashboard, allowing the attacker to run commands with the privileges of the logged-in user.

Prerequisites

Network access to the wind turbine's web management port (typically HTTP/HTTPS)
Access to a web browser that can reach the turbine interface

remotely exploitableno authentication requiredlow complexityno patch availableCVSS 9.8 (critical severity)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

442SR Wind Turbine: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to restrict access to the 442SR web management interface from trusted engineering networks only

WORKAROUNDDeploy a web application firewall (WAF) or HTTP proxy to filter malicious script payloads before they reach the turbine

HARDENINGLimit web interface access to a management VPN or bastion host; do not expose the turbine web port directly to untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable the web management interface on 442SR turbines if remote management is not required; use local physical access only for configuration

CVEs (1)

CVE-2016-2287

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8ac5eccc-5a0c-49ed-832e-f0417c1145f4