OTPulse
FeedAboutContact

Schneider Electric InduSoft Web Studio, InTouch Machine Edition

Act Now9.8ICS-CERT ICSA-17-264-01Sep 21, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Authentication bypass vulnerability (CWE-306) in Schneider Electric InduSoft Web Studio and AVEVA InTouch Machine Edition v8.0 SP2 and earlier versions. Allows unauthenticated remote attackers to gain complete control of the SCADA interface without credentials. CVSS 9.8 (critical) with network vector and no user interaction required.

What this means
What could happen
An unauthenticated attacker on the network could gain complete control of the InduSoft or InTouch server, allowing them to modify process parameters, stop production, or disrupt SCADA operations at industrial facilities.
Who's at risk
Energy sector operators using Schneider Electric InduSoft Web Studio or AVEVA InTouch Machine Edition for SCADA visualization and control should prioritize this vulnerability. Affects any facility relying on these platforms for real-time process monitoring and setpoint management in electric generation, transmission, or distribution systems.
How it could be exploited
An attacker with network access to the web interface or API endpoints can send a crafted request to bypass authentication checks (CWE-306: Missing Authentication for Critical Function). This grants direct access to the engineering environment or runtime, where they can execute arbitrary commands or modify configurations.
Prerequisites
  • Network access to the InduSoft Web Studio or InTouch Machine Edition web service (typically port 80/443)
  • No credentials required
  • Vulnerable version installed (v8.0 SP2 or earlier)
remotely exploitableno authentication requiredlow complexityno patch available for InduSoft Web Studioaffects SCADA operations
Exploitability
Moderate exploit probability (EPSS 1.6%)
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
InduSoft Web Studio: v8.0 SP2 or prior< 8.0 SP2No fix (EOL)
InTouch Machine Edition: v8.0 SP2 or prior< 8.0 SP28.0 SP2 Patch 1
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGFor InduSoft Web Studio, isolate the server on a restricted network segment and disable direct internet access until a patch is available
HARDENINGImplement network access controls to restrict connections to the web interface to authorized engineering workstations only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade InTouch Machine Edition to v8.0 SP2 Patch 1 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2ac34e46-0c65-4860-8f1b-602261c70e90