Distributed Data Systems WebHMI

Act Now10ICS-CERT ICSA-21-336-03Dec 2, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Distributed Data Systems WebHMI versions prior to 4.1 contain authentication bypass and remote code execution vulnerabilities. The authentication bypass allows login to an administrator account without a password (CWE-305). The RCE vulnerability (CWE-434) permits arbitrary code execution with root privileges on the HMI system. No known public exploits currently exist, but the critical CVSS score and high EPSS probability indicate these vulnerabilities are attractive attack targets.

What this means

What could happen

An attacker could log into the WebHMI interface without a password using an administrator account, then execute arbitrary commands with root privileges to take control of the HMI system and underlying industrial equipment.

Who's at risk

Manufacturing facilities using Distributed Data Systems WebHMI for process monitoring and control should prioritize this vulnerability. Any WebHMI instance exposed to networks outside the engineering control system—especially those accessible from the internet or untrusted networks—poses an immediate risk to production operations.

How it could be exploited

An attacker on the network (or from the internet if WebHMI is exposed) can access the WebHMI login interface on port 80/443, bypass authentication to gain administrative access, and then execute arbitrary system commands with root-level privileges on the HMI host.

Prerequisites

Network access to the WebHMI HTTP/HTTPS interface (typically port 80 or 443)
WebHMI software version below 4.1
No prior credentials required

Remotely exploitableNo authentication requiredLow complexityCVSS 10.0 (critical)High EPSS score (28.4%)No patch available for older versionsRoot privilege executionAffects HMI systems that often control critical processes

Exploitability

High exploit probability (EPSS 28.4%)

Affected products (1)

ProductAffected VersionsFix Status

WebHMI: All< 4.14.1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDBlock inbound internet access to WebHMI ports (80, 443) at the firewall; limit access to trusted engineering networks only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebHMI to Version 4.1 or later

HARDENINGIf remote access is required, implement VPN access with strong authentication and restrict to specific administrative users

Long-term hardening

0/1

HARDENINGIsolate the HMI system and all control system networks from the business network using firewalls and air-gapped segments

CVEs (2)

CVE-2021-43931 CVE-2021-43936

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7ec2a562-320b-4a71-b380-6bb990512fc5