LOYTEC LVIS-3ME

Plan Patch8.1ICS-CERT ICSA-17-257-01Sep 14, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

LOYTEC LVIS-3ME building automation controllers contain multiple vulnerabilities in input validation (CWE-23), cryptographic token generation (CWE-331), and web interface handling (CWE-79, CWE-522). These allow remote code execution without authentication. Versions prior to 6.2.0 are affected. No patch is available from the vendor.

What this means

What could happen

An attacker with network access to the LVIS-3ME could execute code remotely, allowing them to modify building automation setpoints, disable HVAC controls, or disrupt facility operations without authentication.

Who's at risk

Building automation operators and facility managers using LVIS-3ME devices in commercial HVAC systems, data centers, and industrial facilities should prioritize mitigation since the device controls critical climate control and operations cannot be easily relocated or replaced.

How it could be exploited

An attacker sends a crafted network request to port 80 or 443 on the LVIS-3ME. Due to improper input validation (CWE-23) and use of insufficiently random tokens (CWE-331), the device accepts the request and executes code in the attacker's context, bypassing authentication.

Prerequisites

Network reachability to the LVIS-3ME device (HTTP/HTTPS ports)
No credentials required
Device connected to an accessible network segment

remotely exploitableno authentication requiredlow complexityno patch availableaffects facility control systems

Exploitability

Moderate exploit probability (EPSS 8.3%)

Affected products (1)

ProductAffected VersionsFix Status

LVIS-3ME:< 6.2.06.2.0

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGIsolate LVIS-3ME devices on a dedicated building automation network segment with firewall rules restricting inbound access to trusted engineering workstations only

WORKAROUNDDisable remote web access to LVIS-3ME if not required for normal operations; use local serial or Ethernet access from an isolated engineering network only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to LVIS-3ME for unexpected connections and log all remote access attempts

CVEs (4)

CVE-2017-13996 CVE-2017-13992 CVE-2017-13994 CVE-2017-13998

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9708f7cd-4016-467f-b940-261b44a24c05