Prima Systems FlexAir

Act NowCVSS 10ICS-CERT ICSA-19-211-02Jul 30, 2019

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Prima FlexAir controller versions 2.3.38 and earlier contain multiple critical vulnerabilities that allow unauthenticated remote attackers to execute arbitrary operating system commands, upload malicious files, bypass authentication, execute code in user browsers, and gain full system access. Affected flaws include command injection (CWE-78), arbitrary file upload (CWE-434), missing CSRF protection (CWE-352), weak credential storage (CWE-798), and weak authentication (CWE-287). Prima Systems has released firmware version 2.5.12 to address these issues.

What this means

What could happen

An attacker with network access to a FlexAir controller could execute arbitrary commands on the device or bypass authentication entirely, allowing them to modify control logic, alter process setpoints, or shut down HVAC systems serving critical facilities.

Who's at risk

Building automation and HVAC system operators who use Prima FlexAir controllers in commercial buildings, data centers, industrial facilities, and critical infrastructure. This includes facility managers, building systems integrators, and any organization using FlexAir for climate control or environmental monitoring.

How it could be exploited

An attacker on the network can send a crafted request to the FlexAir device without credentials to trigger command injection, file upload, or authentication bypass vulnerabilities. The attacker gains direct OS command execution or administrative privileges on the controller, which then controls HVAC setpoints and operation.

Prerequisites

Network connectivity to the FlexAir controller (typically on the facility network or reachable via remote access)
No credentials required for exploitation of authentication bypass and command injection flaws

Remotely exploitableNo authentication required for exploitationLow complexity attackCritical CVSS score (10.0)High EPSS score (39.5%)Multiple attack vectors (command injection, file upload, authentication bypass)

Exploitability

Likely to be exploited — EPSS score 32.8%

Affected products (1)

ProductAffected VersionsFix Status

Prima FlexAir:≤ 2.3.382.5.12

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXUpdate FlexAir firmware to version 2.5.12 or later immediately using the Check for Upgrade option in the Centrals menu of the GUI

HARDENINGIsolate FlexAir controllers from the Internet and business network using firewalls; restrict network access to only devices that require direct communication with the controller

HARDENINGIf remote access to FlexAir is required, implement a secure VPN tunnel and restrict VPN access to authorized engineering staff only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to place FlexAir controllers on a dedicated control network separate from corporate IT systems

CVEs (9)

CVE-2019-7670 CVE-2019-7669 CVE-2019-7281 CVE-2019-7280 CVE-2019-7671 CVE-2019-7667 CVE-2019-7666 CVE-2019-7672 CVE-2019-9189

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dcaf2a3c-8066-49ce-bd64-a94853d6ee26

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.