ICSA-21-138-01_Emerson Rosemount X-STREAM

MonitorCVSS 7.5ICS-CERT ICSA-21-138-01May 18, 2021

Emerson

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Emerson X-STREAM enhanced analyzer models (XEGP, XEGK, XEXF, XEFD) are affected by multiple vulnerabilities in web interface access controls. Weaknesses include insufficient cryptography (CWE-326), unrestricted file uploads (CWE-434), path traversal (CWE-22), exposure of sensitive information (CWE-539), cross-site scripting (CWE-79), and improper input validation (CWE-1021). An unauthenticated attacker with network access can read sensitive configuration data, extract stored credentials, or upload malicious files to the device. No public exploits are known at this time.

What this means

What could happen

An attacker with network access could read sensitive configuration data or extract credentials from affected X-STREAM devices without authentication, potentially allowing them to understand your process configuration or reuse credentials for further access to connected systems.

Who's at risk

Water and wastewater utilities, power generation facilities, and other critical infrastructure operators using Emerson X-STREAM enhanced XEGP, XEGK, XEXF, or XEFD analyzers for process monitoring. These are measurement and analytical devices common in flow, pressure, and quality monitoring applications.

How it could be exploited

An attacker on your network (or the Internet if the device is exposed) connects to the web interface of an affected X-STREAM device. Multiple vulnerabilities allow the attacker to bypass authentication, upload files, traverse the filesystem, or extract session data—ultimately reading configuration files or credential storage without needing a valid login.

Prerequisites

Network access to the X-STREAM device's web interface (typically port 80/443)
Device must be connected to network (no air-gap protection)
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects multiple analyzer models

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

X-STREAM enhanced XEGP: all revisionsAll versionsNo fix (EOL)

X-STREAM enhanced XEGK: all revisionsAll versionsNo fix (EOL)

X-STREAM enhanced XEXF: all revisionsAll versionsNo fix (EOL)

X-STREAM enhanced XEFD: all revisionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate X-STREAM devices from the Internet and from your business network using firewalls and network segmentation.

WORKAROUNDRestrict network access to X-STREAM web interface to only authorized engineering workstations or SCADA servers using firewall rules.

HARDENINGConfigure web browsers accessing X-STREAM to never store login credentials or session data.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to the latest release from Emerson. Contact TechSupport.Hasselroth@emerson.com for availability and scheduling.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: X-STREAM enhanced XEGP: all revisions, X-STREAM enhanced XEGK: all revisions, X-STREAM enhanced XEXF: all revisions, X-STREAM enhanced XEFD: all revisions. Apply the following compensating controls:

HARDENINGIf remote access is required, require VPN with multi-factor authentication and ensure VPN is updated to the latest version.

CVEs (6)

CVE-2021-27457 CVE-2021-27459 CVE-2021-27461 CVE-2021-27463 CVE-2021-27465 CVE-2021-27467

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/19e63868-77d1-4eee-a357-609fa45ef89a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.