xArrow SCADA

Monitor6.1ICS-CERT ICSA-21-229-03Aug 17, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

xArrow SCADA versions 7.2 and earlier contain two web interface vulnerabilities: CWE-79 (cross-site scripting) and CWE-22 (path traversal). Successful exploitation could result in remote code execution on the SCADA device. The web server is disabled by default but can be enabled by users. xArrow has not provided patches and does not plan to address these issues. No public exploits are currently known.

What this means

What could happen

An attacker could exploit cross-site scripting and path traversal vulnerabilities in the xArrow SCADA web interface to execute remote code, potentially compromising the SCADA system and affecting energy infrastructure operations.

Who's at risk

Energy sector operators using xArrow SCADA systems version 7.2 and earlier should take action. This affects web-accessible SCADA platforms used in electrical generation, distribution, or control environments where the web interface is enabled.

How it could be exploited

An attacker could deliver a malicious link or craft a request that exploits the web interface vulnerabilities (CWE-79 cross-site scripting, CWE-22 path traversal) to inject code that executes on the SCADA system. User interaction is required—the attack relies on a user clicking a malicious link or accessing a compromised page. Once successful, the attacker gains code execution on the SCADA device.

Prerequisites

Web server enabled on the xArrow SCADA device
Network access to the web interface (typically HTTP/HTTPS port)
User interaction required (victim must click a link or visit a malicious page)

remotely exploitableno authentication requiredlow complexityno patch available

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

SCADA:≤ 7.2No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable the web server on xArrow SCADA devices if not required for operations

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate SCADA systems from the Internet and business network

HARDENINGPlace SCADA networks and remote access points behind firewalls with restrictive inbound rules

HARDENINGUse VPN for required remote access to SCADA systems, kept updated to the latest version

CVEs (3)

CVE-2021-33021 CVE-2021-33001 CVE-2021-33025

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cae8f390-24b8-4f1d-bd7e-7136f35338e7