ICONICS WebHMI Directory Traversal Vulnerability

Plan PatchCVSS 9.8ICS-CERT ICSA-16-091-01Jan 2, 2016

ICONICSManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A directory traversal vulnerability in ICONICS WebHMI versions 9 and earlier allows an unauthenticated remote attacker to read arbitrary files from the web server. By crafting HTTP requests with directory traversal sequences (../ or encoded variants), an attacker can bypass path restrictions and access sensitive files such as configuration files, credentials, or process documentation. The vulnerability has a CVSS score of 9.8 (critical) and affects all versions through 9. The vendor has not released a patch; no fixed version is available.

What this means

What could happen

An attacker with network access to WebHMI can read arbitrary files from the server, potentially exposing sensitive configuration data, credentials, or process documentation. This could lead to further attacks or unauthorized access to control systems.

Who's at risk

Manufacturing facilities using ICONICS WebHMI version 9 or earlier, particularly those with web-based access to HMI dashboards, operator interfaces, or engineering workstations for process monitoring and control. This includes facilities operating PLCs, process control systems, and SCADA networks managed through WebHMI.

How it could be exploited

An attacker sends a crafted HTTP request using directory traversal sequences (e.g., ../ or encoded variants) to the WebHMI web server to access files outside the intended directory structure. No authentication is required. The server returns the contents of sensitive files accessible to the web application process.

Prerequisites

Network access to WebHMI HTTP port (typically 80 or 443)
WebHMI version 9 or earlier running

remotely exploitableno authentication requiredlow complexityno patch availableallows sensitive data disclosure

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (1)

ProductAffected VersionsFix Status

WebHMI: <=9≤ 9No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDImplement network access controls (firewall rules) to restrict HTTP/HTTPS access to WebHMI to only authorized engineering and operator workstations. Deny inbound access from untrusted networks.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXEvaluate and upgrade to alternative ICONICS HMI products with active vendor support and security patches. WebHMI version 9 and earlier is end-of-life with no fix planned.

HARDENINGReview and restrict file system permissions on the WebHMI server to limit what files the web application process can read.

Mitigations - no patch available

0/2

WebHMI: <=9 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIf WebHMI must be internet-facing, place it behind a Web Application Firewall (WAF) configured to block directory traversal attack patterns (../, encoding variants).

HARDENINGImplement network segmentation to isolate WebHMI and dependent control systems on a separate OT network segment with restricted access from the corporate IT network.

CVEs (1)

CVE-2016-2289

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b5220960-53d2-4333-b69b-e916b5c72163

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.