AMX Multiple Products Credential Management Vulnerabilities (Update A)

Plan PatchCVSS 9.9ICS-CERT ICSA-16-049-02ANov 21, 2016

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AMX NetLinx, Enova, and Massio controllers contain vulnerabilities in credential management (CWE-256) that allow extraction or weak handling of embedded administrative credentials. Affected products include NX-series controllers, Enova DVX and DGX audio/video products, NI-series master controllers, and Massio ControlPads. Firmware versions below the indicated thresholds are vulnerable (e.g., NX series <1.4.65, Enova NX DGX <1.4.72_Hotfix_firmware, NI-700/900/2100/3100/4100 <4.1.419 or <3.60.456_Hotfix_firmware depending on model). The vendor has not released patches for the affected products and they remain vulnerable.

What this means

What could happen

An attacker with network access to an affected AMX controller could extract weak or default credentials embedded in the device, allowing them to gain administrative access and modify audio/video routing, conference room controls, or networked AV system configurations that support building operations.

Who's at risk

This vulnerability affects AMX NetLinx controllers (NX series), Enova DGX and DVX audio/video routing and management products, NI-series master controllers, and Massio control pads used in integrated AV systems, building automation, and conference room systems. Organizations operating networked audio, video distribution, or room control systems that depend on these AMX products should assess their exposure.

How it could be exploited

An attacker on the network sends requests to the affected AMX NetLinx, Enova, or Massio device on the default management port. The device stores credentials insecurely (likely hardcoded or weakly hashed). The attacker can extract or brute-force these credentials without authentication, then use them to log in and execute administrative commands that alter system behavior.

Prerequisites

Network access to the AMX device management port (typically port 23 or web interface port)
No credentials required to trigger the vulnerability, though valid credentials are needed to fully exploit after extraction

remotely exploitableno authentication requiredlow complexityno patch availablecredential extractionmany affected product variants

Exploitability

Some exploitation risk — EPSS score 2.7%

Affected products (43)

43 EOL

ProductAffected VersionsFix Status

NX-1200: <1.4.65<1.4.65No fix (EOL)

NX-1200: 1.4.65_Hotfix_firmware1.4.65 Hotfix firmwareNo fix (EOL)

NX-1200: 1.4.66_Hotfix_firmware1.4.66 Hotfix firmwareNo fix (EOL)

NX-2200: <1.4.65<1.4.65No fix (EOL)

NX-2200: 1.4.65_Hotfix_firmware1.4.65 Hotfix firmwareNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate AMX controllers from untrusted networks using network segmentation, firewalls, or VLANs—restrict access to engineering workstations only

WORKAROUNDDisable remote management ports (Telnet, web access) on AMX devices if not actively used for maintenance; use a jump host or bastion server for any necessary remote access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for suspicious access attempts to AMX controller management ports using firewall or IDS logs

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: NX-1200: <1.4.65, NX-1200: 1.4.65_Hotfix_firmware, NX-1200: 1.4.66_Hotfix_firmware, NX-2200: <1.4.65, NX-2200: 1.4.65_Hotfix_firmware, NX-2200: 1.4.66_Hotfix_firmware, NX-3200: <1.4.65, NX-3200: 1.4.65_Hotfix_firmware, NX-3200: 1.4.66_Hotfix_firmware, NX-4200 NetLinx Controller: <1.4.65, NX-4200 NetLinx Controller: 1.4.65_Hotfix_firmware, NX-4200 NetLinx Controller: 1.4.66_Hotfix_firmware, Massio ControlPads MCP-10x: <1.4.65, Massio ControlPads MCP-10x: 1.4.65_Hotfix_firmware, Massio ControlPads MCP-10x: 1.4.66_Hotfix_firmware, Enova DVX-x2xx: <1.4.65, Enova DVX-x2xx: 1.4.65_Hotfix_firmware, Enova DVX-x2xx: 1.4.72_Hotfix_firmware, DVX-31xxHD-SP (-T): <4.8.331, DVX-21xxHD-SP (-T): <4.8.331, DVX-2100HD-SP-T Master: <4.1.420_Hotfix_firmware, Enova DGX 100 NX Series Master: <1.4.72_Hotfix_firmware, Enova DGX 8/16/32/64 NX Series Master: <1.4.72_Hotfix_firmware, Enova DGX 8/16/32/64 NI Series Master: <4.2.397_Hotfix_firmware, NI-700: <4.1.419, NI-700: <3.60.456_Hotfix_firmware, NI-900 Master Controllers (64M RAM): <4.1.419, NI-900 Master Controllers (32M RAM): <3.60.456_Hotfix_firmware, NI-2100: <4.1.419, NI-2100 with ICSNet: <4.1.419, NI-3100: <4.1.419, NI-3100 with ICSNet: <4.1.419, NI-3100/256: <4.1.419, NI-3100/256 with ICSNet: <4.1.419, NI-4100: <4.1.419, NI-4100/256: <4.1.419, NI-3101-SIG Master Controller: <4.1.419, NI-2000: <3.60.456_Hotfix_firmware, NI-3000: <3.60.456_Hotfix_firmware, NI-4000: <3.60.456_Hotfix_firmware, ME260/64 Duet: <3.60.456_Hotfix_firmware, Enova DGX 100 NX Series Master: 1.4.72_Hotfix_firmware, Enova DGX 8/16/32/64 NX Series Master: 1.4.72_Hotfix_firmware. Apply the following compensating controls:

HARDENINGContact AMX support regarding end-of-life status and risk assessment for affected devices; plan replacement or extended support agreements

CVEs (2)

CVE-2015-8362 CVE-2016-1984

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/65a26677-eeb8-4e97-8a84-70e679f82f64

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.