ICSA-21-217-03_mySCADA myPRO

Plan Patch8.2ICS-CERT ICSA-21-217-03Aug 5, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

mySCADA myPRO contains multiple vulnerabilities (CWE-284, CWE-434, CWE-22, CWE-548) affecting all versions below 8.20.0. These include improper permission handling, arbitrary file upload, path traversal, and exposure of sensitive configuration and credential data. An unauthenticated attacker with network access can read configuration files, upload arbitrary files, or access protected files on the system.

What this means

What could happen

An attacker with network access to myPRO could read sensitive configuration and credential data, upload arbitrary files to the system, or access files outside intended directories. This could lead to unauthorized control of the SCADA system and disruption of energy generation or distribution operations.

Who's at risk

Energy utilities and power generation facilities using mySCADA myPRO for SCADA control systems should prioritize this vulnerability. Any organization relying on myPRO for process control, monitoring, or data management is at risk.

How it could be exploited

An attacker on the network can send unauthenticated requests to the myPRO service to read configuration files containing credentials or sensitive parameters, upload malicious files to gain code execution, or traverse the file system to access protected files. No authentication or user interaction is required.

Prerequisites

Network access to the myPRO service port
myPRO version below 8.20.0 running and accessible
No authentication required

Remotely exploitableNo authentication requiredLow attack complexityAffects SCADA control systemsNo patch currently available for vulnerable versions

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

myPRO: All< 8.20.08.20.0 or later

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate myPRO systems from direct Internet access; do not expose control system networks to untrusted networks

HARDENINGPlace myPRO behind a firewall and separate the control system network from the business network with network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate myPRO to version 8.20.0 or later

HARDENINGFor required remote access, implement secure methods such as VPN with current patches and multi-factor authentication

CVEs (4)

CVE-2021-33013 CVE-2021-33009 CVE-2021-33005 CVE-2021-27505

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d3be3f6a-6d0b-411b-86fa-447ef6684861