Fidelix FX-20 Series Controllers Path Traversal Vulnerability

Monitor7.5ICS-CERT ICSA-16-357-01Sep 25, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The FX-20 series controllers contain a path traversal vulnerability in the web interface that allows an attacker to read arbitrary files from the controller's file system without authentication. By sending HTTP requests with path traversal sequences (../ characters), an attacker can bypass file access restrictions and retrieve sensitive files including configuration data and credentials. The vulnerability affects FX-20 controllers with firmware versions below 11.50.19. No patch is available from the vendor.

What this means

What could happen

An attacker with network access can read sensitive files from the controller's file system, including configuration files and potentially authentication credentials, without needing to authenticate.

Who's at risk

Water authorities and electric utilities using FX-20 series programmable logic controllers for process automation and SCADA systems. This includes any facility relying on these controllers for pump control, treatment process monitoring, or power distribution logic.

How it could be exploited

An attacker sends a specially crafted HTTP request with path traversal sequences (e.g., ../ characters) to the FX-20 web interface. The controller fails to validate the file path and returns files outside the intended directory, such as configuration or system files. No authentication is required.

Prerequisites

Network access to the FX-20 controller's HTTP port (typically 80 or 443)
The controller's web interface must be reachable from the attacker's network

remotely exploitableno authentication requiredlow complexityno patch availableconfidentiality impact (file access)

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (1)

ProductAffected VersionsFix Status

FX-20 series controllers: <11.50.19<11.50.19No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to restrict direct HTTP access to FX-20 controllers from untrusted networks; allow only authorized engineering workstations

WORKAROUNDDisable the FX-20 web interface if not required for normal operations

WORKAROUNDDeploy a web application firewall or reverse proxy to block path traversal attempts (../ and similar sequences) to the FX-20 interface

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor FX-20 access logs for suspicious file access patterns and path traversal attempts

CVEs (1)

CVE-2016-9364

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c6d719d9-be04-4df8-93bc-913c0247bb52