OTPulse
FeedAboutContact

Moxa SoftCMS SQL Injection Vulnerability

Act Now9.8ICS-CERT ICSA-16-215-01May 6, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SoftCMS versions prior to 1.5 contain a SQL injection vulnerability in the web interface input validation. An attacker can inject arbitrary SQL commands to read, modify, or delete database contents, potentially compromising system configuration, monitoring data, and control settings. The vulnerability affects all pre-1.5 installations with no vendor patch available.

What this means
What could happen
An attacker could bypass authentication and execute arbitrary SQL commands against the SoftCMS database, potentially accessing, modifying, or deleting critical system configuration and monitoring data. This could disrupt remote monitoring and control operations at networked facilities.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using Moxa SoftCMS for remote SCADA system monitoring and configuration should be concerned. SoftCMS is commonly deployed as a centralized monitoring platform for geographically distributed RTUs, PLCs, and remote sites.
How it could be exploited
An attacker with network access to the SoftCMS web interface can send crafted SQL injection payloads in input fields (such as login, search, or configuration parameters) to execute arbitrary database queries without needing valid credentials. Once inside the database, they could extract sensitive data, modify system settings, or disable monitoring capabilities.
Prerequisites
  • Network access to SoftCMS web interface (typically HTTP/HTTPS port 80 or 443)
  • No authentication required to exploit the vulnerability
remotely exploitableno authentication requiredlow complexityno patch availablehigh CVSS score (9.8)
Exploitability
Moderate exploit probability (EPSS 1.7%)
Affected products (1)
ProductAffected VersionsFix Status
SoftCMS: <1.5<1.5No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate SoftCMS from untrusted networks using firewall rules; restrict access to the web interface to authorized engineering workstations and management networks only
HARDENINGMonitor SoftCMS access logs and database activity for signs of SQL injection attempts (unusual characters in input fields, unexpected database queries)
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDIf running SoftCMS <1.5, evaluate replacing or decommissioning the application as no vendor patch is available; document the risk and obtain security exceptions if continued operation is required
HARDENINGApply web application firewall (WAF) rules to detect and block common SQL injection patterns in HTTP requests to SoftCMS
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d3888542-737d-41e2-8c27-a60da777d5b7