OTPulse
FeedAboutContact

Rittal Chiller SK 3232-Series

Act Now9.1ICS-CERT ICSA-19-297-01Oct 24, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Rittal Chiller SK 3232-Series web interface, built on Carel pCOWeb firmware A1.5.3 through B1.2.4, contains authentication bypass vulnerabilities (CWE-306, CWE-798). These allow unauthenticated remote attackers to access the web interface and modify critical parameters including temperature setpoints, potentially disrupting cooling operations.

What this means
What could happen
An attacker could remotely change the chiller's temperature setpoint or shut down cooling to the unit without authentication, disrupting facility operations and potentially damaging equipment that depends on the chiller for temperature control.
Who's at risk
Water utilities and facilities that use Rittal SK 3232-Series chillers for critical cooling of server rooms, control room equipment, or process cooling systems. Any facility relying on these chillers to maintain temperatures for HVAC systems or equipment in critical infrastructure.
How it could be exploited
An attacker on the network (or internet if the chiller is exposed) sends a request to the web interface on the affected firmware version. No credentials are required. The attacker can then modify setpoints, toggle cooling, or extract configuration data.
Prerequisites
  • Network access to the chiller's web interface (default or custom HTTP/HTTPS port)
  • Chiller running Rittal SK 3232-Series with firmware version A1.5.3 through B1.2.4
  • No authentication credentials needed
remotely exploitableno authentication requiredlow complexityno patch availableaffects facility cooling systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Chiller SK 3232-Series web interface as built upon Carel pCOWeb: firmware A1.5.3 - B1.2.4≥ A1.5.3 | ≤ B1.2.4No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGRestrict network access to the chiller's web interface using firewall rules—allow only trusted engineering workstations and management networks
WORKAROUNDDisable web interface access if not actively required for monitoring or control
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Rittal Support (info@rittal.de) for firmware updates and patch availability
Mitigations - no patch available
0/2
Chiller SK 3232-Series web interface as built upon Carel pCOWeb: firmware A1.5.3 - B1.2.4 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate the chiller's control network from the business/IT network using a network segment or DMZ
HARDENINGIf remote access is required, use a VPN with current security patches rather than exposing the web interface to the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b5f21e25-bb40-4d2e-b563-be45ef4c8439
Rittal Chiller SK 3232-Series | CVSS 9.1 - OTPulse