OTPulse
FeedAboutContact

Envitech Ltd. EnviDAS Ultimate

Plan Patch8.2ICS-CERT ICSA-17-285-03Oct 12, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

EnviDAS Ultimate versions below 1.0.0.5 contain an authentication bypass vulnerability (CWE-287) that allows remote attackers to access the application and its functions without providing valid credentials. The vulnerability has a CVSS score of 8.2 and is remotely exploitable with low complexity.

What this means
What could happen
An attacker could bypass authentication and gain unauthorized access to EnviDAS Ultimate configuration, potentially allowing remote modification of system settings or data that affects environmental monitoring and reporting operations.
Who's at risk
Environmental monitoring system operators and utilities managing water quality, air quality, or industrial emission monitoring systems using EnviDAS Ultimate should prioritize this issue. Affects the ability to protect configuration and operational data in environmental compliance and reporting systems.
How it could be exploited
An attacker on the network can send specially crafted requests directly to the EnviDAS Ultimate application without valid credentials. The application fails to properly validate authentication, allowing the attacker to access sensitive functions or data remotely.
Prerequisites
  • Network access to EnviDAS Ultimate application port (typically 80 or 443)
  • No authentication credentials required
remotely exploitableno authentication requiredlow complexityauthentication bypass (CWE-287)no patch available
Exploitability
Moderate exploit probability (EPSS 1.3%)
Affected products (1)
ProductAffected VersionsFix Status
EnviDAS Ultimate:< 1.0.0.5No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1
WORKAROUNDRestrict network access to EnviDAS Ultimate application using firewall rules to only authorized engineering workstations and control systems
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EnviDAS Ultimate to version 1.0.0.5 or later if available from vendor
Mitigations - no patch available
0/1
EnviDAS Ultimate: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate EnviDAS Ultimate on a dedicated VLAN with strict access controls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d285981e-2769-43bf-ab3a-6b4b9b9991cd
Envitech Ltd. EnviDAS Ultimate | CVSS 8.2 - OTPulse