Columbia Weather Systems MicroServer

Plan PatchCVSS 9.8ICS-CERT ICSA-19-078-02Mar 19, 2019

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Columbia Weather Systems MicroServer firmware versions MS_2.6.9900 and earlier contain multiple vulnerabilities (CWE-79 cross-site scripting, CWE-22 path traversal, CWE-287 authentication bypass, CWE-20 improper input validation, CWE-94 code injection). These flaws allow unauthenticated, remote attackers to disclose sensitive data, trigger denial-of-service conditions, and execute arbitrary code on the device. Columbia Weather Systems has released firmware version MS_2.7.9973 to address all identified issues.

What this means

What could happen

An attacker with network access to a Weather MicroServer could read sensitive data, crash the device to disrupt weather monitoring, or run arbitrary commands to alter operational parameters or inject malicious logic into the device.

Who's at risk

Water utilities and municipal electric systems that use Columbia Weather Systems MicroServer for weather monitoring and environmental input to SCADA or control logic. Any facility relying on weather data for operational decisions (precipitation monitoring, wind speed for tower loads, temperature for demand forecasting) is affected.

How it could be exploited

An attacker on the network (or Internet if the device is exposed) sends a crafted request to the MicroServer. The device fails to validate input or authenticate the request properly, allowing the attacker to trigger path traversal, code injection, or denial-of-service conditions without needing valid credentials.

Prerequisites

Network access to the Weather MicroServer (IP address and accessible port)
Device firmware version MS_2.6.9900 or earlier
No authentication required for exploitation

Remotely exploitableNo authentication requiredLow complexityHigh CVSS (9.8)Affects operational monitoring systemsDefault network exposure risk

Exploitability

Some exploitation risk — EPSS score 1.1%

Affected products (1)

ProductAffected VersionsFix Status

Weather MicroServer: firmware≤ MS 2.6.9900MS_2.7.9973

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDBlock network access to Weather MicroServer from the Internet; ensure device is not exposed on public IPs

HARDENINGPlace Weather MicroServer behind a firewall and isolate from business network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Weather MicroServer firmware to MS_2.7.9973 or later

HARDENINGIf remote access is required, use a VPN connection and keep VPN software updated

CVEs (6)

CVE-2018-18875 CVE-2018-18876 CVE-2018-18877 CVE-2018-18878 CVE-2018-18879 CVE-2018-18880

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6c0db0fa-15ae-4d74-bf36-4825b18e2294

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.