JanTek JTC-200

Act Now9.8ICS-CERT ICSA-17-283-02Oct 10, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

JTC-200 devices are affected by cross-site request forgery and authentication bypass vulnerabilities that allow remote code execution without credentials. The vulnerabilities have a CVSS score of 9.8 (critical) and public exploits are available. JanTek will not provide security patches or mitigations for JTC-200. The vendor is developing a replacement JTC-300 model.

What this means

What could happen

An attacker can remotely execute arbitrary code on the JTC-200 without authentication, potentially allowing full control of the device and any connected industrial processes or safety systems it controls.

Who's at risk

Water authorities, electric utilities, and other industrial facilities operating JTC-200 controllers are affected. This device is commonly used in process control and automation applications where remote code execution could disrupt critical infrastructure operations.

How it could be exploited

An attacker with network access to the JTC-200 can send a specially crafted request to the device exploiting the cross-site request forgery (CSRF) and authentication bypass vulnerabilities. No credentials or user interaction are required; the attack can be performed entirely remotely.

Prerequisites

Network access to the JTC-200 device
Device is reachable from the attacker's network or the internet

remotely exploitableno authentication requiredlow complexityno patch availablepublic exploits available

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

JTC-200: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate JTC-200 devices from external networks and untrusted network segments using a firewall or air-gap approach

HARDENINGRestrict network access to JTC-200 to only authorized engineering workstations and control systems that require connectivity

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGPlan replacement of JTC-200 devices with JTC-300 units or alternative solutions from other vendors, as no fix will be provided

Mitigations - no patch available

0/1

JTC-200: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to place JTC-200 on a dedicated industrial control network separate from corporate IT networks

CVEs (2)

CVE-2016-5789 CVE-2016-5791

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/57b821a6-94e8-4349-95f4-921b1039298e