GE MDS PulseNET and MDS PulseNET Enterprise

Plan PatchCVSS 7.3ICS-CERT ICSA-18-151-02May 31, 2018

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE PulseNET and PulseNET Enterprise versions 3.2.1 and earlier contain authentication bypass and XML external entity (XXE) injection vulnerabilities. The product fails to properly validate user credentials (CWE-287), allowing unauthenticated access to administrative functions. Additionally, improper XML parsing (CWE-611) enables attackers to read arbitrary files or execute code on the host server. Path traversal issues (CWE-23) may also allow access to restricted files. Exploitation requires only network connectivity to the PulseNET web interface and can result in privilege escalation and data theft.

What this means

What could happen

An attacker could exploit authentication flaws and XML parsing issues to gain elevated privileges on the PulseNET server and steal sensitive data like user credentials or system information from utility operators and assets.

Who's at risk

Electric utilities and energy organizations operating GE PulseNET or PulseNET Enterprise for SCADA data aggregation, reporting, or network monitoring. This affects anyone relying on PulseNET to monitor and manage distribution or transmission equipment across substations and field devices.

How it could be exploited

An attacker on the network sends specially crafted requests to the PulseNET web interface, exploiting missing or weak authentication checks (CWE-287) to bypass login controls. They then send malicious XML payloads (CWE-611) to trigger information disclosure or further privilege escalation, allowing command execution or data exfiltration from the host server.

Prerequisites

Network access to the PulseNET web server (default HTTP/HTTPS port)
No valid credentials required for initial exploitation
PulseNET version 3.2.1 or earlier running on vulnerable configuration

remotely exploitableno authentication requiredlow complexityno patch available for versions 3.2.1 and earlieraffects energy sector infrastructure

Exploitability

Some exploitation risk — EPSS score 5.5%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

PulseNET Enterprise:≤ 3.2.14.1

PulseNET:≤ 3.2.14.1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the PulseNET server to only authorized engineering workstations and control center terminals using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PulseNET to version 4.1 or newer immediately

Long-term hardening

0/2

HARDENINGImplement physical access controls to limit who can access the PulseNET server hardware

HARDENINGDedicate the PulseNET server to the PulseNET application only; do not run other services or applications on the same host

CVEs (3)

CVE-2018-10611 CVE-2018-10613 CVE-2018-10615

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/30b5b1e9-7977-4dc9-9299-5ea0e1d22e0a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.