HMS Networks eWON Flexy and Cosy

Monitor6.1ICS-CERT ICSA-20-098-03Apr 7, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A reflected cross-site scripting (XSS) vulnerability in HMS Networks eWON Cosy and eWON Flexy devices allows an attacker to initiate an administrator password change if an authenticated user clicks a malicious link. Successful exploitation could lock legitimate operators out of the device, preventing access to monitoring and control functions. The vulnerability affects all firmware versions prior to 14.1s0. No known public exploits exist, and exploitation requires high technical skill and user interaction.

What this means

What could happen

An attacker could change administrator passwords on affected eWON devices, locking out legitimate operators and preventing access to critical monitoring and control functions for remote plant operations.

Who's at risk

Water authorities and municipal electric utilities using HMS Networks eWON Cosy or eWON Flexy devices for remote monitoring, industrial networking, and gateway functions. These devices are commonly used to bridge OT networks with remote management systems and to aggregate sensor data from field equipment.

How it could be exploited

An attacker sends a specially crafted request to the eWON device via the network, leveraging a reflected cross-site scripting (CWE-79) vulnerability to force a password change. The victim administrator must click a malicious link in their browser or visit a compromised website while authenticated to the device.

Prerequisites

Network reachability to the eWON device (port 80 or 443)
An authenticated administrator using a web browser
Administrator must click a malicious link or visit a crafted web page
Requires high technical skill to construct and deliver the attack

Remotely exploitable over the networkRequires user interaction (administrator must click a malicious link)Affects administrator account access and operational visibilityHigh skill level required to exploit reduces immediate riskNo patch available for older firmware versions

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

eWON Cosy: all< 14.1s014.1s0

eWON Flexy: all< 14.1s014.1s0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to eWON devices from the business network using firewall rules; allow only trusted engineering workstations and VPN clients

HARDENINGEnsure eWON devices are not directly accessible from the Internet; place behind firewalls and NAT

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate eWON Cosy and eWON Flexy devices to firmware Version 14.1s0 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate eWON devices from the business network

HARDENINGIf remote access is required, enforce secure VPN connections to eWON devices rather than direct Internet exposure

CVEs (1)

CVE-2020-10633

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ab9ba5d6-d798-4aca-8c74-d285b0eae3a6