Solar Controls WATTConfig M Software

Monitor7.8ICS-CERT ICSA-17-222-03Aug 10, 2017

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

WATTConfig M software versions 2.5.10.1 and earlier contain an untrusted search path vulnerability (CWE-427) that allows arbitrary code execution. The vulnerability is triggered when a user opens a malicious configuration file or project, and the software executes embedded code without proper validation. Solar Controls has not coordinated with CISA/ICS-CERT on a fix, and no patch is available.

What this means

What could happen

An attacker with access to the WATTConfig M software can execute arbitrary code on the system, which could allow them to modify solar inverter configurations, disable power production, or cause equipment damage.

Who's at risk

Solar facility operators and engineers using WATTConfig M software for solar inverter and energy management system configuration. This affects organizations relying on Solar Controls equipment for distributed solar installations, micro-grids, and renewable energy management systems.

How it could be exploited

An attacker needs to trick a user into opening a malicious file or project in WATTConfig M software. Once the software loads the file, it executes embedded code without proper validation, allowing command execution on the engineering workstation.

Prerequisites

Local access to the engineering workstation running WATTConfig M
User interaction to open a crafted file or project

Low complexity exploitationUser interaction requiredNo patch availableAffects energy generation systemsVendor non-responsive to remediation efforts

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

WATTConfig M Software:≤ 2.5.10.1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGTrain personnel not to open configuration files or projects from untrusted sources in WATTConfig M

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict file execution permissions on engineering workstations to prevent code injection attacks

Long-term hardening

0/1

HOTFIXDiscontinue use of WATTConfig M software version 2.5.10.1 or earlier if possible. Evaluate alternative solar configuration management tools.

Mitigations - no patch available

0/1

WATTConfig M Software: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate solar control engineering workstations from general corporate networks

CVEs (1)

CVE-2017-9648

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0cba49c1-c5d7-4641-883d-90383accb180