Emerson OpenEnterprise

Low Risk3.8ICS-CERT ICSA-20-238-02Aug 25, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

OpenEnterprise versions 3.3.5 and earlier use weak encryption or plaintext storage for credentials used to access field devices and external systems. An attacker with local access to a workstation running OpenEnterprise could extract these credentials and use them to authenticate directly to controlled equipment, bypassing OpenEnterprise's access controls.

What this means

What could happen

An attacker with local access to an OpenEnterprise system could extract stored credentials used to authenticate to field devices and external systems, potentially enabling unauthorized access to critical plant equipment.

Who's at risk

Water utilities, electrical utilities, and any organization running Emerson OpenEnterprise to manage field devices or remote terminal units (RTUs). OpenEnterprise is typically deployed on engineering workstations that centralize configuration and monitoring of distributed control equipment, making it a high-value target for credential harvesting.

How it could be exploited

An attacker with local login access to a workstation running OpenEnterprise could retrieve plaintext or weakly encrypted credentials stored by the application. These credentials could then be reused to authenticate directly to field devices, SCADA systems, or external systems managed through OpenEnterprise.

Prerequisites

Local login access to a workstation running OpenEnterprise
User privilege level or higher on the affected system
Physical or remote access to the workstation (e.g., via compromised VPN or insider access)

Weak credential storage (CWE-326)Local access required but sufficient for insider threatNo publicly available patch timelineAffects devices used for centralized control of critical infrastructure

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

OpenEnterprise: All≤ 3.3.53.3.6

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict local login access to OpenEnterprise workstations to authorized engineering and operations staff only

WORKAROUNDRotate all credentials that may have been stored in OpenEnterprise instances

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to OpenEnterprise 3.3.6 or later

Long-term hardening

0/2

HARDENINGImplement the principle of least privilege: use dedicated service accounts with minimal necessary permissions for OpenEnterprise

HARDENINGIsolate control system networks and OpenEnterprise workstations from the business network using firewalls

CVEs (1)

CVE-2020-16235

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/89a6bf9f-c4f2-44b5-9ac8-b9465aeae54c