Hetronic Nova-M

Plan PatchCVSS 7.6ICS-CERT ICSA-19-003-03Jan 3, 2019

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Hetronic Nova-M wireless remote control systems are vulnerable to command replay attacks. An attacker within radio range can capture and retransmit control commands to lift or lower connected equipment without needing the original transmitter. The vulnerability affects the Nova-M transmitter and receivers (BMS-HL, ES-CAN-HL, MLC, DC Mobile). Successful exploitation allows unauthorized users to view commands, replay commands, control the device, or stop the device from running. All versions prior to the patched firmware versions are affected. No known public exploits currently exist for this vulnerability.

What this means

What could happen

An attacker with radio range could replay previously captured commands to control or stop wireless remote operation of Hetronic lifting equipment, potentially causing equipment to move unexpectedly or halt during critical operations.

Who's at risk

This affects any organization using Hetronic Nova-M wireless remote control systems for lifting and material handling operations, including construction, port operations, warehousing, and heavy equipment management. Anyone operating equipment controlled by these wireless transmitters and receivers should prioritize this fix.

How it could be exploited

An attacker within radio range captures wireless command transmissions from Hetronic Nova-M transmitters, then replays those captured commands to receivers on the same frequency. Since the system lacks proper authentication, the replayed commands are accepted as legitimate, allowing the attacker to control connected equipment without needing the original transmitter.

Prerequisites

Radio range to the affected Hetronic receiver (AV:A - adjacent network)
Line-of-sight or near line-of-sight to operating transmitter to capture commands
No credentials required

remotely exploitable (radio-based)no authentication requiredlow complexitycommand replay enables full device controlaffects safety-critical lifting operations

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Nova-M: all< r161r161

ES-CAN-HL: all< Main r1864 Estop v24Main r1864, Estop_v24

BMS-HL: all< Main r1175 Estop v24Main r1175, Estop_v24

MLC: all< Main r1600 Estop v24Main r1600, Estop_v24

DC Mobile: all< Main r515 Estop v24Main r515, Estop_v24

Remediation & Mitigation

0/6

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Nova-M transmitter firmware to r161 or later

HOTFIXUpdate ES-CAN-HL receiver firmware to Main r1864, Estop_v24 or later

HOTFIXUpdate BMS-HL receiver firmware to Main r1175, Estop_v24 or later

HOTFIXUpdate MLC receiver firmware to Main r1600, Estop_v24 or later

HOTFIXUpdate DC Mobile receiver firmware to Main r515, Estop_v24 or later

Long-term hardening

0/1

HARDENINGRestrict radio frequency usage to designated, controlled zones and consider physical barriers to reduce unintended radio range

CVEs (1)

CVE-2018-19023

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2f6cd435-919e-4799-993d-266df73e2cf8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.