OTPulse
FeedAboutContact

Newport XPS-Cx, XPS-Qx

Monitor7.5ICS-CERT ICSA-17-178-01Jun 27, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Newport XPS-Cx and XPS-Qx motion controllers contain an authentication bypass vulnerability (CWE-287) that allows unauthenticated remote code execution. An attacker can bypass authentication controls and execute arbitrary commands on the affected devices without valid credentials.

What this means
What could happen
An attacker could remotely execute commands on Newport motion controllers without credentials, potentially altering motor setpoints, stopping equipment motion, or interfering with process automation in manufacturing and semiconductor equipment.
Who's at risk
Equipment manufacturers and integrators using Newport XPS motion controllers in precision positioning systems, semiconductor processing equipment, automated test systems, and scientific instrumentation should be concerned. This affects any facility where Newport XPS controllers manage critical motion control functions.
How it could be exploited
An attacker on the network can send specially crafted commands to the XPS controller on port 5001 (or similar command interface) without providing valid authentication. The device accepts and processes these commands, allowing the attacker to manipulate motion control parameters or halt system operation.
Prerequisites
  • Network access to the XPS-Cx or XPS-Qx command port (typically port 5001)
  • No valid credentials required
remotely exploitableno authentication requiredlow complexityno patch available
Exploitability
Moderate exploit probability (EPSS 1.3%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
XPS-Cx: all versionsAll versionsNo fix (EOL)
XPS-Qx: all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGImplement network segmentation to isolate XPS controllers behind a firewall and restrict access to authorized workstations only
WORKAROUNDDisable remote access to XPS controllers if not required for operations; restrict command interface to local connections only or trusted IP addresses
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from XPS controllers for unauthorized command attempts
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: XPS-Cx: all versions, XPS-Qx: all versions. Apply the following compensating controls:
HARDENINGEvaluate replacement with newer Newport motion control products that include proper authentication
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/959738b5-6456-4c2a-a4bc-682437ee91b2