Schneider Electric Wonderware InTouch Access Anywhere

Plan Patch8.8ICS-CERT ICSA-17-089-01Mar 30, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric Wonderware InTouch Access Anywhere versions 11.5.2 and earlier contain multiple vulnerabilities: cross-site request forgery (CWE-352), information disclosure (CWE-200), and weak cryptographic controls (CWE-326). These allow an unauthenticated remote attacker to bypass access controls, view sensitive operational data, and potentially manipulate SCADA commands. The vulnerabilities can be exploited without user interaction and require low technical skill.

What this means

What could happen

An attacker could gain unauthorized access to Wonderware InTouch Access Anywhere remote monitoring systems and view sensitive plant data or manipulate commands sent to production equipment without needing valid credentials.

Who's at risk

Energy sector operators running Wonderware InTouch Access Anywhere for remote SCADA access and plant monitoring. This affects engineering workstations, remote monitoring terminals, and any system using this software for real-time operational visibility and control of power generation, distribution, or water treatment equipment.

How it could be exploited

An attacker on the network sends a specially crafted request to Wonderware InTouch Access Anywhere without authentication. The request exploits a cross-site request forgery (CWE-352) or weak cryptographic controls (CWE-326) to bypass access controls and gain a session, then leverages information disclosure (CWE-200) to view operational data or inject commands.

Prerequisites

Network access to the Wonderware InTouch Access Anywhere web interface (typically port 80 or 443)
The application must be accessible from the attacker's network location
No valid credentials required if CSRF or authentication bypass is exploited

remotely exploitableno authentication requiredlow complexityhigh CVSS score (8.8)affects remote access to critical infrastructureweak cryptography in authentication

Exploitability

Moderate exploit probability (EPSS 1.0%)

Affected products (1)

ProductAffected VersionsFix Status

Wonderware InTouch Access Anywhere:≤ 11.5.217.0.0

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the Wonderware InTouch Access Anywhere web interface using a firewall; allow only authorized engineering workstations and SCADA networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Wonderware InTouch Access Anywhere to version 17.0.0 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate Wonderware Access Anywhere systems on a dedicated OT network with limited ingress/egress points

CVEs (3)

CVE-2017-5156 CVE-2017-5158 CVE-2017-5160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/babbe0ec-aaf3-4e0b-86af-5a5554669773