ICSA-17-138-01_Miele Professional PG 85 Series

Act Now7.3ICS-CERT ICSA-17-138-01May 18, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability exists in the Miele Professional PG 85 Series washing machines (PG8535, PG8527, PG8528, PG8536). The vulnerability allows an attacker to read arbitrary files from the device file system via specially crafted requests. Affected versions: PG8535 (1.00, 1.04), PG8527 (2.02, 2.51, 2.52, 2.54), PG8528 (2.02, 2.51, 2.52, 2.54), PG8536 (1.10, 1.14).

What this means

What could happen

An attacker with network access to the washing machine could read sensitive files from the device, potentially exposing configuration data, process parameters, or other information stored on the system. This could lead to further attacks or denial of service if critical files are affected.

Who's at risk

This affects organizations operating Miele Professional PG 85 Series commercial washing machines, particularly laundries, hotels, hospitals, and healthcare facilities that rely on these appliances for critical linen processing operations. The vulnerability allows unauthorized reading of device files, which could disrupt production or expose operational data.

How it could be exploited

An attacker on the network sends a specially crafted request using path traversal sequences (e.g., "../") to the Miele PG 85 Series web interface or management API. The vulnerable file access handler does not properly validate or sanitize the file path, allowing the attacker to read files outside the intended directory and potentially access system-level information.

Prerequisites

Network access to the Miele PG 85 Series device (typically HTTP/HTTPS port)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (32.7%)

Exploitability

High exploit probability (EPSS 32.7%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

PG8535 version: 1.00 and 1.041.00 | 1.041.20

PG8527 version: 2.02 2.51 2.52 and 2.542.02 | 2.51 2.52 | 2.541.20

PG8528 version: 2.02 2.51 2.52 and 2.542.02 | 2.51 2.52 | 2.541.20

PG8536 version: 1.10 and 1.141.10 | 1.141.20

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to the Miele PG 85 Series devices to only authorized management systems using firewall rules

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PG8535 to version 1.20 or later

HOTFIXUpdate PG8527 to version 1.20 or later

HOTFIXUpdate PG8528 to version 1.20 or later

HOTFIXUpdate PG8536 version 1.10 to version 1.20 or later

HOTFIXUpdate PG8536 version 1.14 to version 1.24 or later

CVEs (1)

CVE-2017-7240

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b3cb2372-f0ab-4571-b47a-69aa2ad473d9