Sauter moduWeb Vision Vulnerabilities

Plan PatchCVSS 10ICS-CERT ICSA-16-033-01Nov 5, 2016

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Sauter moduWeb Vision versions before 1.6.0 contain multiple critical vulnerabilities: unencrypted data transmission (CWE-319) exposes credentials and configuration data to network eavesdropping; missing input validation (CWE-79) allows cross-site scripting to inject malicious commands; and insufficient access control (CWE-311) permits unauthenticated access to protected functions. An attacker with network access can intercept communications, modify facility automation settings, capture operator credentials, or disable monitoring capabilities. The vendor has stated no fix will be provided for this end-of-life product.

What this means

What could happen

Multiple critical vulnerabilities in Sauter moduWeb Vision allow an attacker to steal sensitive data, modify configuration, or interrupt facility automation operations by intercepting unencrypted communications and injecting malicious content.

Who's at risk

Facility automation operators and engineers at water authorities and district heating/cooling facilities who manage building systems through Sauter moduWeb Vision controllers. Anyone with network access to these devices—including contractors, IT staff, or remote management tools—could be affected if not properly restricted.

How it could be exploited

An attacker on the network or intercepting traffic can exploit unencrypted communications (CWE-319) to capture credentials or sensitive data, inject malicious scripts into the web interface (CWE-79) to compromise operator actions, or directly access protected functions without authentication (CWE-311). No user interaction is required—the attacker only needs network access to the moduWeb Vision device.

Prerequisites

Network access to the moduWeb Vision web interface (typically TCP port 80 or 443)
No credentials required for exploitation of authentication bypass
Device must be reachable from attacker's network segment

Remotely exploitableNo authentication requiredLow complexityNo patch availableDefault or weak credentials likelyAffects critical infrastructure operations

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (1)

ProductAffected VersionsFix Status

EY-WS505F0x0 moduWeb Vision: <1.6.0<1.6.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate moduWeb Vision devices on a dedicated, segmented network with restricted access from engineering workstations and operator terminals only

HARDENINGDeploy firewall rules to block unauthorized network access to moduWeb Vision ports from outside the facility network

WORKAROUNDUse a reverse proxy or SSL/TLS termination layer with authentication in front of moduWeb Vision to enforce encryption and require credentials for all access

Mitigations - no patch available

0/1

EY-WS505F0x0 moduWeb Vision: <1.6.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor network traffic to and from moduWeb Vision for suspicious activity or configuration changes

CVEs (3)

CVE-2015-7914 CVE-2015-7915 CVE-2015-7916

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7ea34692-fa37-4c02-9fdc-24a79ad2938a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.