Locus Energy LGate Command Injection Vulnerability

Plan Patch8.6ICS-CERT ICSA-16-231-01-0May 22, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Locus Energy LGate devices contain an OS command injection vulnerability in input handling. An attacker can send crafted network requests containing shell metacharacters that are passed unsanitized to system command execution functions, allowing remote code execution without authentication. Affected versions are all LGate models below firmware version 1.05H (LGate, LGate 50, 100, 101, 120, 320). The vendor has not released a patch.

What this means

What could happen

An attacker with network access could inject arbitrary commands into the LGate device, allowing remote execution that could alter energy management configurations, interrupt data reporting to control centers, or disrupt distributed energy resource operations.

Who's at risk

Energy utilities operating distributed energy resource (DER) systems, solar farms, or energy storage facilities using any Locus Energy LGate model (50, 100, 101, 120, 320) for device aggregation and SCADA communication. These devices sit at the boundary between distributed equipment and central control systems.

How it could be exploited

An attacker sends a specially crafted network request containing OS command syntax to the LGate's input handling logic. The device fails to sanitize the input and passes it to a system command executor, allowing the attacker to run arbitrary shell commands with the device's privilege level.

Prerequisites

Network access to the LGate device (typically port 80/443 for web interface or port 502 for Modbus gateway functions)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects energy infrastructure control systems

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

LGate: <1.05H<1.05HNo fix (EOL)

LGate 50: <1.05H<1.05HNo fix (EOL)

LGate 100: <1.05H<1.05HNo fix (EOL)

LGate 101: <1.05H<1.05HNo fix (EOL)

LGate 120: <1.05H<1.05HNo fix (EOL)

LGate 320: <1.05H<1.05HNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate LGate devices on a dedicated network segment with firewall rules restricting inbound access to only authorized management stations and SCADA systems

HARDENINGImplement network-based intrusion detection to monitor for command injection payloads (look for shell metacharacters like ;, |, &, >, <, $() in LGate traffic)

WORKAROUNDDisable remote management access to LGate if not actively required; use out-of-band management (serial console or local USB) for configuration changes

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor LGate logs for failed configuration changes or unexpected process execution

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: LGate: <1.05H, LGate 50: <1.05H, LGate 100: <1.05H, LGate 101: <1.05H, LGate 120: <1.05H, LGate 320: <1.05H. Apply the following compensating controls:

HARDENINGEvaluate replacement of LGate units with a current-generation gateway product from the vendor that includes command injection mitigations

CVEs (1)

CVE-2016-5782

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a22829a-2bf6-4e9e-bdb3-bce331c4b6e7