OTPulse
FeedAboutContact

Schneider Electric Wonderware Historian

Monitor7.3ICS-CERT ICSA-17-024-01Jan 24, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Wonderware Historian 2014 R2 contains vulnerabilities in its network communication layer that allow unauthenticated remote attackers to query and modify the historian database. The vulnerabilities stem from insufficient input validation and lack of authentication enforcement on the historian service. An attacker can access sensitive process history data, operational trends, and measurements stored in the historian without providing valid credentials.

What this means
What could happen
An attacker could retrieve sensitive historical process data or modify stored measurements without authentication, affecting the integrity and confidentiality of operational records in your historian database.
Who's at risk
Energy sector operators running Wonderware Historian 2014 R2 for archiving SCADA data, measurements, and alarms. This includes fossil fuel, renewable, and grid management facilities that rely on historical trend analysis for diagnostics and regulatory compliance reporting.
How it could be exploited
An attacker on the network sends crafted requests directly to the Wonderware Historian service over the network. No authentication is required; the attacker can read process history data or modify stored values without knowing valid credentials. This could compromise historical records that operators rely on for troubleshooting and compliance auditing.
Prerequisites
  • Network access to Wonderware Historian on port 5450 (or configured historian port)
  • No valid credentials required
remotely exploitableno authentication requiredlow complexityno patch availableunauthenticated data access
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
Wonderware Historian 2014 R2: SP1 P01 and earlier< SP1 P01No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate Wonderware Historian on a protected network segment; restrict access from engineering workstations and other systems to only those that require historian queries
WORKAROUNDImplement firewall rules to block unauthenticated network access to Historian ports from systems outside the industrial network
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor historian service for unexpected connection attempts and query patterns that deviate from normal maintenance activities
Long-term hardening
0/1
HOTFIXPlan migration from Wonderware Historian 2014 R2 to a supported version with security patches
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8b1819af-2210-4b4d-a3cf-de6693c76c33
Schneider Electric Wonderware Historian | CVSS 7.3 - OTPulse