Grundfos CIM 500

Plan Patch7.5ICS-CERT ICSA-20-189-01Jul 7, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Grundfos CIM 500 controller stores user credentials in cleartext, allowing an attacker with network access to read and obtain valid login credentials. The affected versions are all firmware versions prior to 06.16.00. Successful exploitation allows unauthorized access to cleartext credential data, which could be used to gain control of pump operations.

What this means

What could happen

An attacker with network access to the CIM 500 can read stored user credentials in cleartext, potentially gaining unauthorized access to pump system configuration and control functions.

Who's at risk

Water utilities and municipal systems using Grundfos CIM 500 controllers for pump management. This affects any facility where the CIM 500 is used for SCADA control of water distribution or treatment pumps.

How it could be exploited

An attacker on the same network as the CIM 500 can connect to the device and retrieve stored credentials without authentication. These credentials could then be used to log in and modify pump control settings, disable alarms, or alter flow rates.

Prerequisites

Network access to the CIM 500 device
Device firmware version earlier than 06.16.00
No valid credentials required for initial access

Remotely exploitableNo authentication requiredLow complexity attackCleartext credential storageAffects pump control systems

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

CIM 500: All< 06.16.0006.16.00

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the CIM 500: place it behind a firewall and isolate from business network

HARDENINGIf remote access to CIM 500 is required, use a VPN with current security patches

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Grundfos CIM 500 firmware to v06.16.00 or later

HARDENINGChange all user credentials after firmware update

CVEs (2)

CVE-2020-10605 CVE-2020-10609

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/41f23280-547b-42bc-bcb7-da0b5fe1aa3e