SAE IT-systems FW-50 Remote Telemetry Unit (RTU)

Act Now9.1ICS-CERT ICSA-20-126-02May 5, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The FW-50 RTU 5 Series CPU-5B contains input injection vulnerabilities (CWE-79 and CWE-22) in the web server. These vulnerabilities allow an attacker to execute remote code through malicious input or traverse the device's file system to access protected files. The web server does not adequately validate or sanitize user-supplied input before processing it.

What this means

What could happen

An attacker with network access to the RTU's web interface could run arbitrary code on the device or read sensitive files and configuration data that would normally be protected. This could allow unauthorized changes to telemetry settings, data exfiltration, or disruption of remote monitoring capabilities for water or power distribution systems.

Who's at risk

Water utilities and electric utilities operating SAE IT-systems FW-50 Remote Telemetry Units (RTUs) are affected. These devices are typically used for remote monitoring and control of distributed infrastructure such as pump stations, distribution lines, and remote substations. Any organization relying on this RTU model for telemetry collection should assess their exposure immediately.

How it could be exploited

An attacker sends malicious input (HTML, path traversal, or command injection) through the web server interface on the RTU. The web server does not properly validate or sanitize the input, allowing the attacker to execute arbitrary code on the CPU or access the device's file system to read configuration files, credentials, or system data.

Prerequisites

Network access to port 80/443 on the RTU web server
No authentication required to exploit the web server input injection vulnerability
Web server port must be enabled (default condition)

Remotely exploitable over networkNo authentication requiredLow complexity attackHigh CVSS score (9.1)Critical severityAffects telemetry/monitoring systemsNo patch available from vendor

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

FW-50 RTU 5 Series CPU-5B: Hardware Revision 2; CPLD Revision 6Hardware Revision 2; CPLD Revision 6No fix yet

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDDisable the project web server port on the FW-50 RTU if the web interface is not required for normal operations

HARDENINGImplement network segmentation to isolate the RTU behind a firewall, blocking inbound traffic from the business network and Internet to the RTU's web server port

HARDENINGRestrict network access to the RTU to only authorized engineering workstations or SCADA master stations using firewall ACLs or network access control lists

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXReplace the CPU-5B card with a new hardware unit and reprogram it with the latest version of setIT software from SAE IT-systems

CVEs (2)

CVE-2020-10630 CVE-2020-10634

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ac1d2ade-01a1-466e-8f1c-948b67e7f22b