OTPulse
FeedAboutContact

Westermo Industrial Switch Hard-coded Certificate Vulnerability (Update A)

Act Now9ICS-CERT ICSA-16-028-01AOct 31, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

Westermo WeOS firmware versions below 4.19.0 contain hard-coded certificates embedded in the firmware. An attacker who obtains these certificates can decrypt and potentially manipulate encrypted communications to the switch, including management traffic and control protocol messages. This vulnerability affects all Westermo switches running vulnerable firmware versions and cannot be mitigated by configuration changes alone.

What this means
What could happen
An attacker with network access to a Westermo industrial switch could decrypt encrypted communications by exploiting hard-coded certificates, potentially allowing eavesdropping on sensitive control traffic or impersonation of the switch in critical manufacturing processes.
Who's at risk
Manufacturing facilities operating Westermo industrial switches running WeOS firmware below version 4.19.0 in networked control systems, including those using encrypted management protocols (HTTPS, SSH, TLS) for remote monitoring or configuration.
How it could be exploited
An attacker intercepts encrypted traffic to or from the Westermo switch and uses the hard-coded certificate embedded in WeOS firmware versions below 4.19.0 to decrypt the session. With this access, the attacker could read sensitive configuration or operational commands, or impersonate the switch to inject malicious control instructions.
Prerequisites
  • Network access to the Westermo switch (typically requires access to the control network or VPN tunnel to the facility)
  • Ability to capture encrypted network traffic destined for or originating from the switch
  • Understanding of the certificate and encryption protocol in use
remotely exploitablehard-coded credential equivalentaffects network infrastructure used in safety-critical applicationsno patch available for end-of-life firmwarepotential for traffic interception and command injection
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
WeOS: <4.19.0<4.19.04.19.0
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGImplement network segmentation: isolate Westermo switches to a separate VLAN or subnet with firewall rules that restrict unauthorized access from engineering workstations, remote sites, and untrusted networks
WORKAROUNDContact Westermo technical support to determine if any security updates, firmware patches, or migration paths are available for your specific WeOS version and hardware model
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGDeploy network monitoring on the control network to detect and alert on suspicious encrypted sessions or certificate misuse targeting Westermo devices
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9e797537-d434-4a0d-8d15-9787ed22a9cb
Westermo Industrial Switch Hard-coded Certificate Vulnerability (Update A) | CVSS 9 - OTPulse