INDAS Web SCADA Path Traversal Vulnerability

Act Now10ICS-CERT ICSA-16-278-01Jul 8, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Web SCADA versions before 3 contain a path traversal vulnerability that allows unauthenticated attackers to read and write arbitrary files on the server. The vulnerability exists in the web interface's file handling logic, which does not properly validate or sanitize user-supplied file paths. An attacker can use relative path sequences to escape the intended directory and access sensitive files such as configuration data, credentials, or control system parameters.

What this means

What could happen

An attacker with network access could read or write arbitrary files on the Web SCADA server, potentially accessing sensitive configuration files, credentials, or modifying process control logic.

Who's at risk

Energy sector operators running Web SCADA systems, including water treatment and electrical distribution facilities that use the product for remote process monitoring and control.

How it could be exploited

An attacker sends a specially crafted HTTP request with a path traversal payload (e.g., containing "../" sequences) to the Web SCADA web interface. The application does not properly validate or sanitize the file path, allowing the attacker to escape the intended directory and access files anywhere on the system.

Prerequisites

Network access to the Web SCADA web interface (TCP port 80/443)
No authentication required

remotely exploitableno authentication requiredlow complexitycritical CVSS 10no patch availableend-of-life product

Exploitability

High exploit probability (EPSS 10.4%)

Affected products (1)

ProductAffected VersionsFix Status

Web SCADA: <3<33.0

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to restrict access to the Web SCADA web interface to only authorized engineering workstations and operator terminals; block external access via firewall rules

WORKAROUNDDeploy a web application firewall (WAF) to detect and block path traversal attempts (e.g., requests containing ../ or encoded variants)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Web SCADA logs and network traffic for suspicious file access patterns or requests with encoded special characters

Long-term hardening

0/1

HARDENINGPlan migration or replacement of Web SCADA with a supported SCADA platform that has active security maintenance

CVEs (1)

CVE-2016-8343

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ab0a5039-e221-4376-ac8a-a96439b78ea7