LCDS - Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA

Monitor5.3ICS-CERT ICSA-17-082-01Mar 23, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LAquis SCADA contains a path traversal vulnerability in its web interface that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability exists in versions prior to 4.1.0.3237. An attacker can use directory traversal sequences to access configuration files, operational data, or other sensitive information without needing valid credentials. The vendor has not planned to fix this vulnerability.

What this means

What could happen

An attacker can read sensitive files from the LAquis SCADA server without authentication, potentially exposing configuration files, database contents, or operational data. Since the vulnerability has no planned fix, affected installations face permanent exposure.

Who's at risk

Energy sector organizations operating LAquis SCADA systems for plant monitoring and control. This includes utilities managing generation, transmission, or distribution equipment that rely on this software for supervisory functions.

How it could be exploited

An attacker on the network sends a specially crafted HTTP request with directory traversal sequences (e.g., ../ paths) to the LAquis SCADA web interface to access files outside the intended directory. The vulnerability requires only network access to the SCADA server's HTTP port and no authentication.

Prerequisites

Network access to LAquis SCADA server HTTP/web port
No authentication required
Server running vulnerable version (< 4.1.0.3237)

remotely exploitableno authentication requiredlow complexityno patch availabledirectory traversal allows file disclosure

Exploitability

Moderate exploit probability (EPSS 6.7%)

Affected products (1)

ProductAffected VersionsFix Status

LAquis SCADA software:< 4.1.0.3237No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate LAquis SCADA servers from untrusted networks using firewall rules; restrict HTTP/web access to engineering workstations and approved management networks only

HARDENINGMonitor network traffic for unusual HTTP requests with directory traversal patterns (../) targeting the SCADA server

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDIf upgrade to fixed version is not possible, disable the LAquis SCADA web interface if it is not operationally required

Mitigations - no patch available

0/1

LAquis SCADA software: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to separate SCADA systems from corporate networks and the internet

CVEs (1)

CVE-2017-6020

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d124b871-0189-4d24-9de9-ff8c5edf706d