AUVESY Versiondog

Plan PatchCVSS 9.8ICS-CERT ICSA-21-292-01Oct 19, 2021

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AUVESY Versiondog versions earlier than 8.0 contain multiple critical vulnerabilities in input validation, memory management, privilege escalation, and file upload handling (CWE-284, CWE-732, CWE-321, CWE-125, CWE-416, CWE-787, CWE-123, CWE-119, CWE-434, CWE-73, CWE-15, CWE-20, CWE-400, CWE-427, CWE-294, CWE-89) that permit unauthenticated remote code execution and complete system compromise. Successful exploitation could allow an attacker to achieve remote code execution and acquire complete remote control over the Versiondog machine.

What this means

What could happen

An attacker who reaches a Versiondog machine over the network could run arbitrary code and take complete control of it, potentially compromising the integrity of version control data for critical automation, deployment, and change management systems.

Who's at risk

Organizations using Versiondog for software version control and configuration management, especially those managing automation scripts, firmware, and configurations for industrial systems, PLCs, or networked devices. Versiondog is commonly found in manufacturing, process control, and utility environments where change tracking and deployment automation are critical.

How it could be exploited

An attacker with network access to a Versiondog server (typically on port 80/443 or custom ports) can exploit one of multiple input validation, memory handling, or privilege escalation flaws to execute code as the Versiondog service user. No authentication is required.

Prerequisites

Network reachability to Versiondog server port (HTTP/HTTPS or custom)

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch available for versions < 8.0

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Versiondog: All< 8.08.1+

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to Versiondog servers: place behind a firewall and deny inbound connections from the Internet and untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Versiondog to version 8.1 or later

Long-term hardening

0/1

HARDENINGIsolate Versiondog from the business network; require VPN for legitimate remote access and keep VPN software current

CVEs (17)

CVE-2021-38457 CVE-2021-38475 CVE-2021-38461 CVE-2021-38451 CVE-2021-38467 CVE-2021-38479 CVE-2021-38449 CVE-2021-38473 CVE-2021-38471 CVE-2021-38477 CVE-2021-38453 CVE-2021-38455 CVE-2021-38463 CVE-2021-38469 CVE-2021-38459 CVE-2021-38481 CVE-2021-38465

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f17b16a8-cc21-4e16-bd3c-4ca02dea7ce9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.