Weintek EasyWeb cMT

Act Now10ICS-CERT ICSA-21-082-01Mar 23, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities in Weintek cMT products affect code execution (CWE-94), access control (CWE-284), and cross-site scripting (CWE-79). Successful exploitation allows an unauthenticated remote attacker to access sensitive information and execute arbitrary code to gain root privileges on vulnerable devices. Weintek has released OS upgrades for all affected product lines. No known public exploits are currently active.

What this means

What could happen

An unauthenticated attacker with network access to a vulnerable cMT device could execute arbitrary code with root privileges, allowing them to manipulate process logic, alter setpoints, stop operations, or exfiltrate sensitive plant data and configurations.

Who's at risk

Water authorities and municipal utilities using Weintek cMT HMI/SCADA controllers and servers should prioritize this. Affected devices include the cMT-CTRL01 controller, cMT-SVR-1xx/2xx servers, cMT-G01/G02/G03/G04 gateways, cMT3071/cMT3072/cMT3090/cMT3103/cMT3151 panel controllers, cMT-FHD, and cMT-HDM. Any facility using these devices for process automation, data logging, or remote monitoring is at risk.

How it could be exploited

An attacker on the network sends a crafted request to the EasyWeb interface (port 80/443 by default). The vulnerability in code execution and improper access controls allows the request to be processed without authentication, resulting in arbitrary code execution with root privileges on the device. No user interaction is required.

Prerequisites

Network access to the cMT device on port 80 or 443 (typically the EasyWeb interface)
Device running a vulnerable firmware version
No credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (10.0)default network exposure

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

cMT-CTRL01:< 2021030220210302 or later

cMT-SVR-1xx/2xx:< 2021030520210305 or later

cMT-G01/G02:< 2021020920210209 or later

cMT-G03/G04:< 2021022220210222 or later

cMT3071/cMT3072/cMT3090/cMT3103/cMT3151:< 2021021820210218 or later

cMT-FHD:< 2021020820210208 or later

cMT-HDM:< 2021020420210204 or later

Remediation & Mitigation

0/11

Do now

0/2

WORKAROUNDRestrict network access to cMT devices using firewall rules; block inbound connections from the Internet and untrusted business networks

WORKAROUNDDisable remote access to cMT devices unless absolutely required for operations

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate cMT-CTRL01 firmware to version 20210302 or later

HOTFIXUpdate cMT-SVR-1xx/2xx firmware to version 20210305 or later

HOTFIXUpdate cMT-G01/G02 firmware to version 20210209 or later

HOTFIXUpdate cMT-G03/G04 firmware to version 20210222 or later

HOTFIXUpdate cMT3071/cMT3072/cMT3090/cMT3103/cMT3151 firmware to version 20210218 or later

HOTFIXUpdate cMT-FHD firmware to version 20210208 or later

HOTFIXUpdate cMT-HDM firmware to version 20210204 or later

Long-term hardening

0/2

HARDENINGIf remote access is necessary, implement a VPN with multi-factor authentication and keep VPN software updated

HARDENINGIsolate cMT devices and control system networks from the business network using network segmentation or air-gapped architecture

CVEs (3)

CVE-2021-27446 CVE-2021-27444 CVE-2021-27442

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close