OTPulse

Black Box AlertWerks ServSensor Credential Management Vulnerability

MonitorCVSS 6.5ICS-CERT ICSA-16-147-03Feb 27, 2016
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Black Box AlertWerks ServSensor devices contain an information disclosure vulnerability that allows authenticated users with valid engineering or administrative credentials to access sensitive configuration data that should be restricted. The vulnerability exists in the credential management implementation and affects multiple AlertWerks ServSensor model variants (EME105A, EME106A, EME108A-R2, EME109A-R2, EME110A-R2, EME102A-R2, EME103A-R2, EME104A-R2, EME152A, EME153A, EME154A, EME155A, EME158A, and EME111A/112A/113A Contact series) running firmware versions prior to SP473. Black Box has not released a firmware update to address this vulnerability.

What this means
What could happen
An attacker with valid credentials can view sensitive information stored on the AlertWerks ServSensor device, potentially exposing configuration details, monitoring thresholds, or other system parameters used to manage facility infrastructure.
Who's at risk
Organizations operating Black Box AlertWerks ServSensor environmental monitoring devices across their data centers, network closets, or critical infrastructure facilities should assess their exposure. This affects all versions of the ServSensor product line (standard, Junior, Junior with PoE, and Contact models) running firmware SP473 or earlier. Environmental monitoring devices are commonly deployed in unattended locations to track temperature, humidity, and other conditions critical to equipment uptime.
How it could be exploited
An attacker with valid engineering or administrative credentials can authenticate to the AlertWerks ServSensor via network access (HTTP/HTTPS or management interface) and read sensitive data such as configuration settings, system parameters, or stored credentials without proper access controls.
Prerequisites
  • Valid engineering or administrative credentials for the AlertWerks ServSensor device
  • Network access to the device's management interface (HTTP/HTTPS port or proprietary management port)
  • Device running firmware version SP473 or earlier
Requires valid credentialsRequires network access to management interfaceNo patch availableLow complexity attack
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (19)
19 pending
ProductAffected VersionsFix Status
Black Box’s AlertWerks ServSensor, model number EME105A: <firmware_SP473<firmware SP473No fix yet
Black Box’s AlertWerks ServSensor, model number EME106A: <firmware_SP473<firmware SP473No fix yet
Black Box’s AlertWerks ServSensor, model number EME108A-R2: <firmware_SP473<firmware SP473No fix yet
Black Box’s AlertWerks ServSensor, model number EME109A-R2: <firmware_SP473<firmware SP473No fix yet
Black Box’s AlertWerks ServSensor, model number EME110A-R2: <firmware_SP473<firmware SP473No fix yet
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGRestrict network access to the AlertWerks ServSensor management interface using firewall rules to only authorized engineering workstations and administrative networks
HARDENINGEnforce strong, unique credentials for all AlertWerks ServSensor administrative accounts and change default credentials if they exist
WORKAROUNDDisable remote management access if not required for normal operations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor access logs for the AlertWerks ServSensor and alert on unauthorized authentication attempts
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate AlertWerks ServSensor devices on a separate management network with restricted access from general IT networks
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f7acb32d-f49a-4a14-b5b0-daf92f9142e9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.