Opto 22 SoftPAC Project

Act Now9.8ICS-CERT ICSA-20-135-01May 14, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Opto 22 SoftPAC Project version 9.6 and earlier contain multiple vulnerabilities affecting file write operations (CWE-73), digital signature verification (CWE-347), authorization checks (CWE-284, CWE-285), and code integrity (CWE-427). These flaws allow unauthenticated remote attackers to achieve arbitrary file write with system privileges, remotely execute code, start or stop services, and degrade system availability. The vulnerabilities are exploitable over the network on port 22000 without user interaction.

What this means

What could happen

An attacker with network access to SoftPAC Project could execute arbitrary commands on the system, write files with system privileges, modify process control parameters, or cause the control system to become unavailable by stopping services.

Who's at risk

Organizations using Opto 22 SoftPAC Project for process automation and control should prioritize this fix. This affects any facility relying on SoftPAC Project for PLC or PAC functions in water treatment, electrical distribution, manufacturing, or other industrial processes.

How it could be exploited

An attacker on the network sends specially crafted requests to SoftPAC Project listening on port 22000. The vulnerability (improper file write, code execution, and service manipulation) allows the attacker to run commands, manipulate files, or disable the service without needing credentials or user interaction.

Prerequisites

Network access to port 22000 on the SoftPAC Project system
SoftPAC Project version 9.6 or earlier running

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)Affects control system availability and integrityNo patch available for versions in production without upgrade to 10.3

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

SoftPAC Project:≤ 9.610.3

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDMonitor and restrict access to port 22000 at the firewall; block inbound connections unless required for legitimate remote engineering access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SoftPAC Project to version 10.3 or later

Long-term hardening

0/2

HARDENINGIsolate the SoftPAC Project system behind a firewall and on a separate control network, not accessible from the business network or Internet

HARDENINGIf remote engineering access is required, use a VPN with encryption and keep VPN software updated

CVEs (5)

CVE-2020-12042 CVE-2020-12046 CVE-2020-10612 CVE-2020-10616 CVE-2020-10620

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/291f75db-0495-4165-a713-7d7992fe47a7