Schneider Electric PowerSCADA Anywhere and Citect Anywhere

Plan Patch8.1ICS-CERT ICSA-17-201-01Jul 20, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric PowerSCADA Anywhere and Citect Anywhere versions 1.0 contain multiple vulnerabilities in the web-based interface. CWE-352 (cross-site request forgery), CWE-200 (exposure of sensitive information), CWE-298 (improper validation of certificate with host mismatch), and CWE-146 (improper neutralization of argument delimiters) allow an attacker with network access to the application to perform unauthorized actions or extract sensitive data.

What this means

What could happen

An attacker could perform unauthorized actions in the SCADA system or access sensitive system information by exploiting web application vulnerabilities, potentially compromising visibility or control of industrial processes.

Who's at risk

Electric utilities and energy facilities that use Schneider Electric PowerSCADA Anywhere (versions 1.0 or bundled with PowerSCADA Expert v8.1/v8.2) or Citect Anywhere (version 1.0) for remote SCADA monitoring and control. Particularly critical for organizations with internet-exposed engineering workstations or remote operator access.

How it could be exploited

An attacker on the network sends a crafted request to the PowerSCADA Anywhere or Citect Anywhere web interface. Due to CSRF vulnerabilities and weak input validation, the application processes the request without proper verification, allowing the attacker to execute commands or retrieve sensitive data like credentials or process configurations.

Prerequisites

Network access to the PowerSCADA Anywhere or Citect Anywhere web interface (typically port 80 or 443)
User interaction may be required (victim must click a malicious link or visit a compromised page)
The affected product must be deployed and accessible from the attacker's network

Remotely exploitableLow complexity attackNo authentication requiredNo patch availableUser interaction required

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

1 pending1 EOL

ProductAffected VersionsFix Status

PowerSCADA Anywhere redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2:1.0No fix yet

Citect Anywhere:1.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGDo not deploy PowerSCADA Anywhere or Citect Anywhere version 1.0 in environments requiring remote access

WORKAROUNDRestrict network access to the PowerSCADA Anywhere and Citect Anywhere web interfaces using firewall rules to limit connections to authorized engineering workstations only

WORKAROUNDDisable remote web access to these applications if not operationally required

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement a Web Application Firewall (WAF) to detect and block CSRF attacks and malformed requests

HARDENINGMonitor web server logs for suspicious requests to PowerSCADA Anywhere and Citect Anywhere interfaces

CVEs (4)

CVE-2017-7969 CVE-2017-7970 CVE-2017-7971 CVE-2017-7972

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/490ee26b-6117-431f-89c1-c9ae6a724854