VISAM VBASE Editor

Act Now7.4ICS-CERT ICSA-21-308-01Nov 4, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

VBASE Pro-RT/Server-RT Web Remote (v11.6.0.6) contains multiple vulnerabilities allowing un-neutralized user-controllable data input (cross-site scripting), disclosure of local files, extraction of NTLM Windows credential hashes, and access to sensitive configuration files. These weaknesses stem from improper input validation, insecure file handling, and credential exposure.

What this means

What could happen

An attacker could steal Windows login credentials (NTLM hashes) and read sensitive files from servers running VBASE Pro-RT/Server-RT Web Remote. If an affected server controls industrial processes, the attacker could use compromised credentials to modify system settings or access other plant equipment.

Who's at risk

This affects organizations using VISAM VBASE Pro-RT or Server-RT for engineering, monitoring, and remote access to industrial control systems. This includes water and wastewater utilities, power generation facilities, and manufacturing plants that rely on VBASE for SCADA system engineering workstations or remote HMI (human-machine interface) access.

How it could be exploited

An attacker sends a specially crafted request to the VBASE web interface (no authentication required). The server processes the malicious input, either executing injected code in the web interface or disclosing local files and Windows credential hashes. The attacker can then use stolen credentials to access VBASE engineering workstations or other networked systems.

Prerequisites

Network access to VBASE Web Remote port (typically 80/443)
User must click a link or visit a malicious website (user-assisted for some attack vectors)
VBASE Pro-RT/Server-RT v11.6.0.6 or earlier running and web-accessible

Actively exploited (KEV)Remotely exploitableNo authentication requiredLow complexityHigh EPSS score (72.9%)Affects engineering and system credentials

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

VBASE Pro-RT/ Server-RT (Web Remote):11.6.0.6No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXUpdate VBASE Pro-RT/Server-RT to v11.7.0.2 or later. Contact VISAM through their website to request the update download link.

WORKAROUNDUntil patching is complete, restrict network access to VBASE Web Remote to trusted engineering workstations only using firewall rules. Block all inbound access from the Internet and business network.

WORKAROUNDDisable the VBASE Web Remote feature if it is not actively being used for remote access.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGSegment VBASE servers on a dedicated control system network isolated from the business network and Internet. Use a VPN with multi-factor authentication for any required remote access.

Long-term hardening

0/1

HARDENINGMonitor VBASE server logs for unusual web requests or access patterns.

CVEs (9)

CVE-2021-38417 CVE-2021-42535 CVE-2021-42537 CVE-2021-34803 CVE-2020-13699 CVE-2019-18988 CVE-2018-16550 CVE-2018-14333 CVE-2005-2475

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/466d70dc-2723-4dcb-9d8b-c67864eaa2ef