Eaton HMiSoft VU3

MonitorCVSS 7.8ICS-CERT ICSA-20-105-01Apr 14, 2020

EatonManufacturing

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Eaton HMiSoft VU3 contains buffer overflow (CWE-121) and buffer over-read (CWE-125) vulnerabilities in versions 3.00.23 and earlier. Successful exploitation could crash the device and may allow remote code execution or information disclosure. The vulnerabilities are triggered through social engineering (opening untrusted files or clicking malicious links) and require local access—they are not remotely exploitable. Eaton discontinued HMiVU on December 31, 2018, marked it end-of-life, and no longer provides security fixes. The product has been replaced by the XV100 and XV300 operator interface lines.

What this means

What could happen

Successful exploitation could crash the HMiSoft VU3 operator interface device, causing loss of visibility into manufacturing processes. An attacker could also execute arbitrary code on the device or disclose sensitive information.

Who's at risk

Manufacturing facilities using Eaton HMiSoft VU3 operator interface devices for process monitoring and control should prioritize this vulnerability. This affects any plant relying on HMiVU for human-machine interface (HMI) functionality, particularly where the device is connected to engineering workstations or shared networks.

How it could be exploited

An attacker with local access to the device must trick a user into opening a malicious file or interacting with a social engineering attempt (phishing email, untrusted attachment). The local file or interaction triggers a buffer overflow or buffer over-read condition, potentially allowing code execution or information disclosure.

Prerequisites

Local access to the device
User interaction required (must open untrusted file or click malicious link)
HMiSoft VU3 software version 3.00.23 or earlier

No patch available (end-of-life product)Requires user interaction (social engineering attack)Local access only (not remotely exploitable)Affects operator interface / visibility systemsBuffer overflow and buffer over-read vulnerabilities

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

HMiSoft VU3:≤ 3.00.23No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDDo not open untrusted files or attachments with the HMiSoft VU3 device; train users to recognize and avoid phishing and social engineering attempts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMigrate from HMiSoft VU3 to Eaton XV100 or XV300 operator interface products; contact Eaton sales or Technical Resource Center (1-877-ETN-CARE) for migration assistance

Mitigations - no patch available

0/1

HMiSoft VU3: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict local access to operator interface devices through physical security and network segmentation; implement defense-in-depth strategies for ICS environments

CVEs (2)

CVE-2020-10639 CVE-2020-10637

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/686d1d21-174b-4b45-a05f-9e313129981c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.