Xylem Aanderaa GeoView

Plan Patch8.2ICS-CERT ICSA-21-334-01Nov 30, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AADI GeoView Webservice contains a SQL injection vulnerability (CWE-89) that allows an attacker to manipulate the database server. The vulnerability affects all versions prior to 2.1.3. Cloud/SaaS users have already been remediated by Xylem. On-premises deployments remain vulnerable if not updated.

What this means

What could happen

An attacker could inject SQL commands to read, modify, or delete data in the GeoView database, potentially compromising sensor data integrity, historical records, or operational reporting used by water/environmental monitoring systems.

Who's at risk

On-premises deployments of AADI GeoView Webservice used by water utilities, environmental agencies, and wastewater treatment facilities for remote monitoring and data management of Aanderaa oceanographic and environmental sensors.

How it could be exploited

An attacker with network access to the GeoView Webservice can submit malicious SQL queries through user input fields or API parameters. The application does not properly sanitize input, allowing the SQL injection to execute against the backend database and return or manipulate data without authentication.

Prerequisites

Network access to the GeoView Webservice web interface or API endpoint
GeoView Webservice version earlier than 2.1.3 (on-premises deployment)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexitySQL injection (CWE-89)Affects data integrity and confidentiality

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (1)

ProductAffected VersionsFix Status

AADI GeoView Webservice: All< 2.1.32.1.3

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict network access to the GeoView Webservice to trusted administrative networks using firewall rules or network segmentation

WORKAROUNDIf running on-premises and patch cannot be deployed immediately, disable or isolate the Webservice until the update can be applied

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AADI GeoView Webservice to version 2.1.3 or later

CVEs (1)

CVE-2021-41063

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cbdaeb05-09a3-42d3-8762-e73e3d323a80