LCDS LAquis SCADA

Monitor6.5ICS-CERT ICSA-20-119-01Apr 28, 2020

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

LAquis SCADA versions 4.3.1 and prior contain two vulnerabilities (CWE-200 information disclosure and CWE-20 improper input validation) that allow a local attacker with high privileges and user interaction to read sensitive files and write arbitrary files to the system. These vulnerabilities are not exploitable remotely and no public exploits are known.

What this means

What could happen

An attacker with local access and elevated privileges on a system running LAquis SCADA could read sensitive files and write arbitrary files, potentially compromising configuration data or operational integrity of the SCADA application.

Who's at risk

Energy sector operators running LAquis SCADA for generation, distribution, or control systems should review their deployments. This affects engineering workstations and SCADA servers running version 4.3.1 or earlier that manage power flow, monitoring, or grid operations.

How it could be exploited

An attacker must have local access to the machine hosting LAquis SCADA and high-level privileges (likely administrator or engineer account). They could then read sensitive configuration or credential files and write malicious files to arbitrary locations to compromise system operation or data confidentiality.

Prerequisites

Local console or remote desktop access to the LAquis SCADA host
High-privilege (administrator or engineering) credentials
User interaction required (UI-based exploitation vector)
LAquis SCADA version 4.3.1 or earlier

Requires local accessRequires high privilegesAffects information confidentialityAffects system integrity via arbitrary file writeNot remotely exploitable

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

LAquis SCADA Versions: 4.3.1 and prior≤ 4.3.1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict physical and remote access to SCADA workstations to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LAquis SCADA to the latest available version (newer than 4.3.1)

HARDENINGEnforce principle of least privilege—limit engineering staff to minimum necessary permissions on SCADA systems

Mitigations - no patch available

0/1

LAquis SCADA Versions: 4.3.1 and prior has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate SCADA systems from general IT networks

CVEs (2)

CVE-2020-10618 CVE-2020-10622

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f6ed2152-5883-475e-b399-a43627ae7b01