Xylem AquaView

Plan Patch9.3ICS-CERT ICSA-21-350-01Dec 16, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AquaView versions 1.60, 7.x, and 8.x contain a hardcoded credential vulnerability (CWE-798) that allows an authenticated local attacker to create users, delete users, disable user groups, and modify system security levels. This vulnerability is not remotely exploitable and requires local access with valid credentials. No public exploit is currently known, but the vendor has not released a firmware patch for affected versions.

What this means

What could happen

An authenticated attacker with local access to the AquaView system could create unauthorized users, delete existing users, disable user groups, and modify system and security settings, potentially compromising operational control and auditability of the water treatment or distribution system.

Who's at risk

Water utilities and municipal water authorities using Xylem AquaView systems (versions 1.60, 7.x, 8.x) for monitoring and control of treatment plants, distribution networks, and operational intelligence should implement protective measures immediately, as this affects core system administration and security controls.

How it could be exploited

An attacker with local access to the AquaView system and valid credentials could exploit hardcoded or weakly protected credentials to elevate privileges and modify user accounts and security configurations without detection.

Prerequisites

Local access to the AquaView system
Valid user account credentials on the system
Physical or administrative access to the workstation or server running AquaView

no patch availabledefault or hardcoded credentialslocal access required but attacker with valid credentials could escalate privilegesaffects user and permission management

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

AquaView:1.60 | 7.x 8.xNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement new security settings as described in Xylem Product Security Advisory XSA-2021-006

HARDENINGRestrict local access to AquaView workstations and servers through physical and logical controls

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGEnable and enforce strong password policies and multi-factor authentication for all AquaView user accounts

HARDENINGImplement regular user access reviews and audit logging to detect unauthorized account modifications

Mitigations - no patch available

0/1

AquaView: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegregate AquaView systems from untrusted networks using network segmentation and firewalls

CVEs (1)

CVE-2021-42833

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5f9eaf35-126b-4be6-96e3-9a49f073b5ad