Martem TELEM-GW6/GWM (Update B)

Act Now10ICS-CERT ICSA-18-142-01May 22, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Martem TELEM-GW6 and GWM devices contain multiple critical vulnerabilities allowing unauthorized industrial process control command execution (CVE-2018-10603, CVE-2018-10607), full RTU compromise via weak SSH authentication (CVE-2018-10605), denial of service (CVE-2018-10400), and client-side code execution through the web interface (CVE-2018-10609). The devices allow unauthenticated access to communication channels and TCP/IP command execution, and the web interface lacks proper access controls. Default SSH credentials and disabled firewall features increase exposure risk. No firmware patch is currently available for most vulnerabilities; remediation relies on configuration hardening and compensating controls.

What this means

What could happen

An attacker on the network could execute unauthorized commands on the RTU, take full control of the device, disrupt operations, or inject malicious code into the web interface. This could alter pump speeds, valve positions, or alarm settings in water/power distribution systems.

Who's at risk

Manufacturing plants using Martem TELEM-GW6 or GWM remote terminal units (RTUs) for process monitoring and control, including water treatment facilities, power distribution, and other industrial automation environments that rely on these devices for SCADA communication and RTU management.

How it could be exploited

An attacker with network access to the device can send malicious commands via TCP/IP without authentication, modify RTU configuration through weak or default SSH credentials, or inject code through the unprotected web interface. No special tools or knowledge is required—basic network access is sufficient.

Prerequisites

Network access to the RTU on TCP/IP ports used by communication channels
For SSH exploit: either default credentials or weak passwords (CVE-2018-10605)
For web interface exploit: access to port running WebServer, no authentication required (CVE-2018-10607)
For unauthorized process commands: access to the communication channel protocol used by the RTU

remotely exploitableno authentication required for process command executionlow complexityno patch available for current firmware versionsdefault credentials vulnerabilityaffects industrial control systemsaffects safety and process integrity

Exploitability

Moderate exploit probability (EPSS 2.9%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

GW6:< 2.0.87-4018403-k42.0.87-4018403-k4

GWM:< 2.0.87-4018403-k42.0.87-4018403-k4

Remediation & Mitigation

0/10

Do now

0/5

WORKAROUNDConfigure 'other side IP' field in RTU TCP/IP channel settings to restrict access to only trusted communication partners

HARDENINGChange all default passwords to strong, unique values immediately

HARDENINGEnable firewall rules in RTU configuration to block unauthorized SSH access (IPv4 and IPv6) and restrict WebServer connections

HARDENINGDisable the WebServer feature in RTU configuration if not actively needed for remote configuration

WORKAROUNDProtect any enabled WebServer with strong password and 'other side IP' restrictions

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade firmware to version 2.0.87-4018403-k4 or newer to fix default password and SSH vulnerabilities

HARDENINGUse SSH public key authentication instead of password authentication where possible

HARDENINGDeploy VPN tunnel for all remote access to the RTU

HOTFIXUpdate GWS.exe configurator software to the latest version available from Martem

Long-term hardening

0/1

HARDENINGEnsure the RTU is not directly accessible from the Internet; isolate on an industrial network behind firewall

CVEs (4)

CVE-2018-10603 CVE-2018-10605 CVE-2018-10607 CVE-2018-10609

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close