Optergy Proton Enterprise Building Management System

Act Now10ICS-CERT ICSA-19-157-01Jun 6, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Optergy Proton and Enterprise versions 2.3.0a and earlier contain multiple critical vulnerabilities (CWE-200 information disclosure, CWE-352 CSRF, CWE-434 file upload, CWE-601 open redirect, CWE-798 hardcoded credentials, CWE-912 path traversal, CWE-749 unsafe deserialization) that allow remote code execution and full system compromise. An unauthenticated attacker on the network can exploit these flaws to gain administrative control of the building management system. The CVSS v3.0 score is 10.0 (critical) with network vector, low attack complexity, and no privileges or user interaction required. No public exploits are currently known, but the EPSS score of 92.6% indicates high probability of exploitation.

What this means

What could happen

An attacker with network access could execute arbitrary commands on the Optergy server and gain full system access, potentially allowing them to modify HVAC setpoints, disable climate control, or disrupt facility operations.

Who's at risk

Facility managers and IT teams operating Optergy Proton or Optergy Enterprise building management systems should act immediately. This includes heating, cooling, ventilation, and building automation operators at hospitals, commercial facilities, data centers, and municipal buildings that rely on these systems for climate and safety control.

How it could be exploited

An attacker on the network (or via the internet if port 22 or other ports are forwarded) can exploit multiple vulnerabilities including information disclosure, cross-site request forgery, file upload, and open redirect flaws to gain code execution on the Optergy server with no authentication required.

Prerequisites

Network connectivity to the Optergy server
Optergy version 2.3.0a or earlier deployed
Port 22 (SSH) or other vulnerable ports exposed to untrusted networks

remotely exploitableno authentication requiredlow complexityhigh EPSS score (92.6%)affects building operations and safety systemsdefault port exposure common

Exploitability

High exploit probability (EPSS 92.6%)

Affected products (1)

ProductAffected VersionsFix Status

Proton/Enterprise:≤ 2.3.0a2.4.5

Remediation & Mitigation

0/7

Do now

0/5

WORKAROUNDClose port 22 (SSH) or disable port forwarding to the Optergy server; only open during scheduled support activities

HARDENINGDeploy Optergy OpenVPN or enforce SSL/TLS encryption for all connections crossing the internet

HARDENINGEnforce strong password policy: minimum 12 characters, mixed case, numbers, symbols; no dictionary words

HARDENINGImplement expiring password policy for all Optergy user accounts

HARDENINGPrevent concurrent logins by configuring web server and portal preferences

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Optergy Proton/Enterprise server to version 2.4.5 or later

Long-term hardening

0/1

HARDENINGPlace Optergy server behind enterprise firewall and routers to block unsolicited incoming traffic

CVEs (7)

CVE-2019-7272 CVE-2019-7277 CVE-2019-7273 CVE-2019-7274 CVE-2019-7275 CVE-2019-7276 CVE-2019-7278

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8cbe9848-0059-4f8a-89ed-739e8309cb94