Emerson AMS Device Manager

Act Now10ICS-CERT ICSA-18-270-01Sep 27, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AMS Device Manager versions 12.0 through 13.5 contain multiple vulnerabilities (CVE-2018-14808 and others, CWE-284 and CWE-269) that allow unauthorized remote code execution and malware injection. The vulnerabilities stem from improper input validation and access control enforcement. An attacker can exploit these flaws to execute arbitrary code on the AMS Device Manager host, potentially gaining control over field device configurations and monitoring functions. The vulnerability cannot be exploited if application whitelisting is implemented.

What this means

What could happen

An attacker with network access to AMS Device Manager could execute arbitrary code on the host system, allowing them to manipulate device configurations, alter process parameters, or disable monitoring and control functions across connected field devices.

Who's at risk

Water utilities and electric utilities using Emerson AMS Device Manager (versions 12.0 through 13.5) to manage field instrument configurations and monitoring. This affects any facility that relies on AMS for asset diagnostics and device lifecycle management across Modbus, HART, Foundation Fieldbus, or Profibus networks.

How it could be exploited

An attacker on the network sends a malicious request to the AMS Device Manager application. The application fails to properly validate input or enforce access controls, allowing the attacker to inject code or overwrite critical application files. If application whitelisting is not in place, the attacker gains code execution on the server.

Prerequisites

Network access to the AMS Device Manager application port
No application whitelisting deployed

Remotely exploitableNo authentication requiredLow complexity attackCVSS score 10.0 (critical)Affects control system configuration and monitoringNo patch available for current versions

Exploitability

Moderate exploit probability (EPSS 5.2%)

Affected products (1)

ProductAffected VersionsFix Status

AMS Device Manager: v12.0 to v13.5≥ 12.0 | ≤ 13.5later than v13.5

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement application whitelisting on the AMS Device Manager host to prevent unauthorized file execution and overwrite attacks

HARDENINGRestrict network access to AMS Device Manager to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply software patches from Emerson Guardian Support Portal (Knowledge Base articles NK-1700-0324, NK-1700-0252, DeltaV NK-1800-0880) to upgrade AMS Device Manager beyond v13.5

Long-term hardening

0/2

HARDENINGIsolate AMS Device Manager and connected field devices from the corporate business network using a demilitarized zone (DMZ) or air gap

HARDENINGIf remote access to AMS Device Manager is required, use a VPN with up-to-date security patches and ensure the VPN endpoint device is hardened

CVEs (2)

CVE-2018-14804 CVE-2018-14808

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a04d59b-d897-4fd1-b044-a8abfda3ebaf