Carlo Gavazzi VMU-C EM and VMU-C PV

Act NowCVSS 10ICS-CERT ICSA-17-012-03Jan 12, 2017

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The VMU-C EM and VMU-C PV devices contain multiple vulnerabilities in access control and input validation that allow an unauthenticated attacker on the network to execute arbitrary commands on the device. The vulnerabilities affect the web server interface and stem from insufficient authentication, improper access restrictions, and information disclosure flaws. Exploitation requires only network access to the device and no valid credentials. These devices are commonly used for electrical power measurement (EM) and photovoltaic system monitoring (PV) in industrial and utility environments.

What this means

What could happen

An attacker with network access to the device can run arbitrary commands and take complete control of the energy or power management system, potentially disrupting power distribution or measurement operations and causing loss of monitoring and control visibility.

Who's at risk

This affects energy and power management operators using Carlo Gavazzi VMU-C EM (electrical measurement) or VMU-C PV (photovoltaic) monitoring units. Organizations operating distributed solar systems, substations, or facilities with real-time power metering should prioritize this.

How it could be exploited

An attacker on the network sends a specially crafted request to the web server of the VMU-C device. Because no authentication is required and the HTTP protocol is unencrypted/unauthenticated, the attacker can bypass access controls and execute commands directly on the device to alter its configuration, disable functions, or redirect data.

Prerequisites

Network access to the VMU-C device HTTP/web server port
No authentication credentials required
Device running vulnerable firmware versions (VMU-C EM < A11_U05 or VMU-C PV < A17)

Remotely exploitableNo authentication requiredLow complexity to exploitHigh EPSS score (64.6%)CVSS Critical (10.0)Affects industrial measurement and control systems

Exploitability

Likely to be exploited — EPSS score 64.6%

Metasploit module available — weaponized exploitView module ↗

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

VMU-C EM: prior to firmware< A11 U05A11_U05

VMU-C PV: prior to firmware< A17A17

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to VMU-C web server to trusted engineering networks only; use firewall rules to block unauthorized access from other subnets

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate VMU-C EM firmware to version A11_U05 or later

HOTFIXUpdate VMU-C PV firmware to version A17 or later

Long-term hardening

0/1

HARDENINGIsolate VMU-C devices on a dedicated VLAN or industrial network segment separate from office IT networks and untrusted systems

CVEs (3)

CVE-2017-5144 CVE-2017-5145 CVE-2017-5146

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e6852a5a-aeeb-426e-9dd3-a97d8684e623

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.