OTPulse
FeedAboutContact

Visonic PowerLink2 Vulnerabilities

Monitor6.1ICS-CERT ICSA-16-348-01Sep 16, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Visonic PowerLink2 firmware versions prior to October 2016 contain cross-site scripting (XSS) and information disclosure vulnerabilities in the web interface. The XSS flaw (CWE-79) allows injection of malicious scripts that execute in users' browsers, while the information disclosure issue (CWE-200) may expose sensitive device configuration or operational data. No patch has been released by the vendor for this product.

What this means
What could happen
An attacker could inject malicious code into web pages served by the PowerLink2 device or extract sensitive configuration data from it. This could lead to unauthorized control or monitoring of connected equipment.
Who's at risk
Energy sector operators, particularly those using Visonic PowerLink2 devices for alarm monitoring, remote facility management, or equipment control. This affects any organization that has PowerLink2 units connected to their network and accessible via a web browser.
How it could be exploited
An attacker sends a crafted request containing malicious script to the PowerLink2 web interface. When a user (such as an operator or engineer) accesses the device's web portal, the injected code executes in their browser, potentially stealing session credentials or allowing unauthorized commands to be sent to connected devices.
Prerequisites
  • Network access to the PowerLink2 web interface (typically port 80 or 443)
  • User interaction required: a legitimate operator or engineer must visit the compromised web page
remotely exploitableno authentication requiredlow complexityno patch availableuser interaction required
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
PowerLink2 firmware: <October_2016<October 2016No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDRestrict network access to the PowerLink2 web interface using firewall rules; allow only trusted engineering workstations or management networks
WORKAROUNDDisable remote web access to the PowerLink2 if it is not operationally necessary; use only local management interfaces or VPN with additional authentication
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGUse a proxy or WAF (web application firewall) in front of the PowerLink2 to filter malicious payloads if web access must remain enabled
Mitigations - no patch available
0/1
PowerLink2 firmware: <October_2016 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate PowerLink2 devices on a separate management VLAN with strict ingress/egress controls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4f717982-6be8-4a90-92fc-0ce36146529e
Visonic PowerLink2 Vulnerabilities | CVSS 6.1 - OTPulse