AUVESY Versiondog

Act Now9.8ICS-CERT ICSA-21-292-01Oct 19, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AUVESY Versiondog versions earlier than 8.0 contain multiple critical vulnerabilities in input validation, memory management, privilege escalation, and file upload handling (CWE-284, CWE-732, CWE-321, CWE-125, CWE-416, CWE-787, CWE-123, CWE-119, CWE-434, CWE-73, CWE-15, CWE-20, CWE-400, CWE-427, CWE-294, CWE-89) that permit unauthenticated remote code execution and complete system compromise. Successful exploitation could allow an attacker to achieve remote code execution and acquire complete remote control over the Versiondog machine.

What this means

What could happen

An attacker who reaches a Versiondog machine over the network could run arbitrary code and take complete control of it, potentially compromising the integrity of version control data for critical automation, deployment, and change management systems.

Who's at risk

Organizations using Versiondog for software version control and configuration management, especially those managing automation scripts, firmware, and configurations for industrial systems, PLCs, or networked devices. Versiondog is commonly found in manufacturing, process control, and utility environments where change tracking and deployment automation are critical.

How it could be exploited

An attacker with network access to a Versiondog server (typically on port 80/443 or custom ports) can exploit one of multiple input validation, memory handling, or privilege escalation flaws to execute code as the Versiondog service user. No authentication is required.

Prerequisites

Network reachability to Versiondog server port (HTTP/HTTPS or custom)

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch available for versions < 8.0

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Versiondog: All< 8.08.1 or later

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to Versiondog servers: place behind a firewall and deny inbound connections from the Internet and untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Versiondog to version 8.1 or later

Long-term hardening

0/1

HARDENINGIsolate Versiondog from the business network; require VPN for legitimate remote access and keep VPN software current

CVEs (17)

CVE-2021-38457 CVE-2021-38475 CVE-2021-38461 CVE-2021-38451 CVE-2021-38467 CVE-2021-38479 CVE-2021-38449 CVE-2021-38473 CVE-2021-38471 CVE-2021-38477 CVE-2021-38453 CVE-2021-38455 CVE-2021-38463 CVE-2021-38469 CVE-2021-38459 CVE-2021-38481 CVE-2021-38465

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f17b16a8-cc21-4e16-bd3c-4ca02dea7ce9