ProMinent MultiFLEX M10a Controller

Plan Patch8.8ICS-CERT ICSA-17-285-01Oct 12, 2017

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

ProMinent MultiFLEX M10a controller contains multiple vulnerabilities (CWE-602, CWE-613, CWE-352, CWE-200, CWE-620) allowing authenticated users to execute arbitrary commands remotely on the controller. All versions of the device are affected. The vulnerabilities are remotely exploitable with low skill level required once valid engineering credentials are obtained.

What this means

What could happen

An attacker with valid engineering credentials could remotely execute commands on the MultiFLEX M10a controller, potentially altering chemical injection setpoints, stopping dosing operations, or manipulating process parameters in water treatment or chemical feed systems.

Who's at risk

Water treatment facilities, chemical injection systems, and any operation using ProMinent MultiFLEX M10a dosing controllers. This affects facility operators responsible for maintaining safe chemical feed rates and process stability.

How it could be exploited

An attacker with valid engineering workstation credentials can connect to the MultiFLEX M10a's network interface to execute arbitrary commands on the controller. The vulnerability requires authentication but low skill to exploit once credentials are obtained.

Prerequisites

Valid engineering workstation credentials
Network access to the MultiFLEX M10a controller
Access to engineering interface or remote management port

Remotely exploitableNo patch availableLow complexity to exploitAffects safety-critical chemical dosing operations

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

The followingAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to the MultiFLEX M10a engineering interface using firewall rules or network segmentation; only permit connections from authorized engineering workstations

HARDENINGImplement strong access controls and change default credentials for all engineering accounts

WORKAROUNDDisable remote engineering access if not actively required for operations; require local console access only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to the controller for unauthorized access attempts

Long-term hardening

0/1

HARDENINGContact ProMinent directly to determine long-term mitigation or upgrade path given no fix is available

CVEs (5)

CVE-2017-14013 CVE-2017-14007 CVE-2017-14011 CVE-2017-14009 CVE-2017-14005

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c7e23656-0dae-4cb2-a0be-6c988ae92f66