Ovarro TBox (Update A)

Plan PatchCVSS 8.8ICS-CERT ICSA-21-054-04Feb 23, 2021

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Ovarro TBox devices (MS-CPU32-S2, MS-CPU32, TG2, TG2 derivatives, RM2, and TBoxLT2) that allow authenticated remote attackers to execute arbitrary code. The vulnerabilities are related to insecure code execution mechanisms (CWE-94), weak permission controls (CWE-732), resource exhaustion (CWE-400), unencrypted credential storage (CWE-522), weak cryptographic key storage (CWE-321), and path traversal (CWE-23). Successful exploitation could result in remote code execution and denial-of-service conditions.

What this means

What could happen

An attacker with login credentials could execute arbitrary code on the TBox device, potentially causing loss of control over the equipment or stopping operations entirely. This could disrupt water treatment, power distribution, or other critical processes.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Ovarro TBox controllers (MS-CPU32-S2, MS-CPU32, TG2, RM2, and TBoxLT2 models) for process automation and control are affected. Any facility relying on these devices for monitoring or controlling pumps, generators, valves, or other critical equipment is at risk.

How it could be exploited

An attacker with valid credentials accesses the affected TBox device over the network, exploits insecure code execution or cryptographic weaknesses (CWE-94, CWE-321), and runs arbitrary commands on the device. This does not require user interaction or system-level privileges to initiate.

Prerequisites

Valid login credentials for the TBox device
Network access to the TBox (direct or via remote access tool like VPN)
Device running vulnerable firmware version below 1.46 (TBox version 12.4 or earlier)

Remotely exploitableAuthentication required but commonly weak/default credentials in OT environmentsNo patch available for many installationsHigh CVSS score (8.8)

Exploitability

Unlikely to be exploited — EPSS score 1.0%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

TBox MS-CPU32-S2: All< 12.4 (firmware 1.46)TWinSoft 12.5+

TBox TG2 (All models): All< 12.4 (firmware 1.46)TWinSoft 12.5+

TBox RM2 (All models): All< 12.4 (firmware 1.46)TWinSoft 12.5+

TBoxLT2 (All models): All< 12.4 (firmware 1.46)TWinSoft 12.5+

TBox MS-CPU32: All< 12.4 (firmware 1.46)TWinSoft 12.5+

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable unnecessary remote access and use VPN with the latest security patches if remote access is required

HARDENINGEnforce strong, unique credentials and disable default accounts on all TBox devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TWinSoft to version 12.5 or later

Long-term hardening

0/1

HARDENINGIsolate TBox devices from the business network and place them behind firewalls

CVEs (6)

CVE-2021-22646 CVE-2021-22648 CVE-2021-22642 CVE-2021-22640 CVE-2021-22644 CVE-2021-22650

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/65a2fb98-dbcd-4234-b235-19048cba3b1e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.