Equinox Control Expert
Act Now9.8ICS-CERT ICSA-19-353-02Dec 19, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Equinox Control Expert contains a SQL injection vulnerability (CWE-89) that allows remote code execution. The vulnerability affects all current and older versions of Control Expert. The issue results from improper input validation in the database interface, allowing an attacker to execute arbitrary SQL commands and potentially arbitrary system commands. Equinox has not responded to disclosure requests and no vendor patches are currently available.
What this means
What could happen
Remote code execution on the Control Expert system could allow an attacker to modify industrial process parameters, stop critical operations, or alter safety interlocks, depending on how the device is integrated into your control network.
Who's at risk
Organizations running Equinox Control Expert systems—particularly those in manufacturing, water treatment, electric power distribution, and chemical processing—should review their network connectivity and access controls. Control Expert is often used as a supervisory control or data acquisition platform in mid-sized facilities.
How it could be exploited
An attacker on the network sends a malicious SQL injection payload to the Control Expert system, exploiting improper input validation in the database interface. This allows the attacker to execute arbitrary commands on the system with the privileges of the Control Expert application.
Prerequisites
- Network access to the Control Expert system (direct or via compromised internal device)
- No credentials required
remotely exploitableno authentication requiredlow complexityno patch availableaffects control system operations
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Control Expert: all current and older* and > could be affectedNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/2HARDENINGIsolate Control Expert systems from the business network using a firewall and network segmentation. Do not expose these systems to the Internet.
WORKAROUNDImplement firewall rules to restrict inbound and outbound access to Control Expert systems to only necessary ports and trusted addresses.
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGDisable or remove all unnecessary SQL stored procedures and user-defined functions on Control Expert systems.
HARDENINGDelete or disable all default and unnecessary database accounts on Control Expert systems.
HOTFIXContact Equinox to request security updates or patches for Control Expert as they become available.
Mitigations - no patch available
0/2Control Expert: all current and older has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGValidate and sanitize all user input to the Control Expert database. Use parameterized queries or prepared statements instead of string concatenation to prevent SQL injection.
HARDENINGDisable unnecessary services and applications on Control Expert systems to reduce attack surface.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3d42ffea-c6a5-45bc-9913-40a47ef85ed9