mySCADA myPRO

Act Now10ICS-CERT ICSA-21-355-01Dec 21, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

mySCADA myPRO versions 8.20.0 and earlier contain multiple vulnerabilities (CWE-288 insufficient verification, CWE-916 use of password hash with insufficient computational effort, CWE-912 hidden functionality, CWE-78 improper neutralization of special elements used in an OS command). Successful exploitation could allow an attacker to completely compromise the product.

What this means

What could happen

An attacker could gain complete control of myPRO systems, potentially executing arbitrary commands, bypassing authentication, or disabling the SCADA platform. This could stop industrial operations, alter control setpoints, or prevent monitoring and response to critical events.

Who's at risk

Energy sector organizations operating mySCADA myPRO systems, including utilities, generation facilities, and industrial control networks that rely on this SCADA platform for monitoring and command execution. Any facility using myPRO version 8.20.0 or earlier is at risk.

How it could be exploited

An attacker with network access to the myPRO interface could exploit weak password hashing (CWE-916) to bypass authentication, leverage hidden functionality (CWE-912) to gain unauthorized access, or inject OS commands (CWE-78) to execute arbitrary code with system privileges. No user interaction is required; the attack can be performed remotely.

Prerequisites

Network access to the myPRO application/interface
myPRO version 8.20.0 or earlier

remotely exploitableno authentication requiredlow complexityhigh CVSS score (10.0)affects SCADA/control systemsno patch available for older versions

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

myPRO:≤ 8.20.08.22.0

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGIsolate myPRO systems behind firewalls and restrict network access from the business network and Internet

HARDENINGIf remote access to myPRO is required, use a VPN or secure out-of-band management channel and keep it updated

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade myPRO to version 8.22.0 or higher

CVEs (8)

CVE-2021-43985 CVE-2021-43989 CVE-2021-43987 CVE-2021-44453 CVE-2021-22657 CVE-2021-23198 CVE-2021-43981 CVE-2021-43984

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fdf181aa-4cb5-4bf5-9117-8411d1bc51dc