Meteocontrol WEB'log Vulnerabilities (Update A)

Act Now9.8ICS-CERT ICSA-16-133-01AFeb 13, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Meteocontrol WEB'log devices (Basic 100, Light, Pro, Pro Unlimited) contain multiple critical vulnerabilities: improper access control (CWE-284), unrestricted upload of files (CWE-553), cross-site request forgery (CWE-352), and information disclosure (CWE-200). These flaws allow an unauthenticated attacker on the network to gain full administrative control of the device via the web interface. No vendor patch is available for any affected model.

What this means

What could happen

An attacker could gain full administrative access to the WEB'log device and execute arbitrary commands, allowing them to read sensitive data (inverter settings, generation logs), modify system configurations, or shut down the device entirely.

Who's at risk

Solar PV and renewable energy facility operators. WEB'log devices are used to monitor and log photovoltaic inverter data in utility-scale and distributed solar installations. Affected systems include Basic 100, Light, Pro, and Pro Unlimited models used in facilities across North America and Europe.

How it could be exploited

An attacker can reach the WEB'log web interface over the network (port 80/443) with no authentication required. They exploit multiple authorization flaws and cross-site request forgery (CSRF) to gain administrative privileges and execute system commands directly on the device.

Prerequisites

Network access to the WEB'log web interface (typically HTTP/HTTPS)
No credentials required for initial exploitation

Remotely exploitableNo authentication requiredLow complexityHigh EPSS score (75.3%)No patch availableCVSS 9.8 (critical)

Exploitability

High exploit probability (EPSS 75.3%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

WEB'log Basic 100: vers:all/*All versionsNo fix (EOL)

WEB'log Light: vers:all/*All versionsNo fix (EOL)

WEB'log Pro: vers:all/*All versionsNo fix (EOL)

WEB'log Pro Unlimited: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the WEB'log device to only authorized engineering workstations and monitoring systems using firewall rules and network segmentation

WORKAROUNDDisable remote web access to the device if not required for operations; access the device only from the local plant network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from the WEB'log device for suspicious activity, particularly unauthorized HTTP/HTTPS requests

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: WEB'log Basic 100: vers:all/*, WEB'log Light: vers:all/*, WEB'log Pro: vers:all/*, WEB'log Pro Unlimited: vers:all/*. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the WEB'log device from the corporate IT network and internet-facing systems

CVEs (4)

CVE-2016-2296 CVE-2016-2297 CVE-2016-4504 CVE-2016-2298

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2dee7342-803e-4488-9b0c-bfdbfd820d6a