IDEC PLCs
Plan Patch7.6ICS-CERT ICSA-22-006-03Jan 6, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
IDEC PLCs have credential validation weaknesses (CWE-523, CWE-256) in their management interfaces and web servers. An attacker with network access can upload, alter, or download the PLC user program without authentication, allowing them to manipulate process outputs, suspend operations, or hijack the controller entirely. The vulnerability affects the Data File Manager, FC6A/FC6B MICROSmart Series (All-in-One and Plus CPU Modules), FT1A SmartAXIS Pro/Lite, and WindEDIT/WindLDR engineering software.
What this means
What could happen
An attacker with network access to an IDEC PLC could upload malicious firmware or alter the PLC program, allowing them to manipulate process outputs, stop operations, or hijack the controller. The attacker could also steal sensitive program code and configuration data by downloading the user program.
Who's at risk
Manufacturing facilities using IDEC programmable controllers (PLC) should prioritize this vulnerability. Specifically: plants running FC6A or FC6B MICROSmart Series (All-in-One or Plus variants), FT1A SmartAXIS controllers, or using IDEC engineering tools (WindEDIT, WindLDR, Data File Manager) for PLC program development and management. Any facility where a PLC controls critical processes like motor starters, actuators, or valve outputs is at risk.
How it could be exploited
An attacker on the same local network as the PLC sends a crafted request to the PLC's web server or management interface, exploiting a lack of proper authentication or weak credential handling. This allows the attacker to upload a modified PLC program or firmware, which the device executes with full process control privileges.
Prerequisites
- Network access to the PLC's management interface or web server (typically local network or Ethernet port)
- No credentials required to upload or download PLC programs
- PLC must be powered on and accessible on the network
No authentication required to upload or download PLC programsRemotely exploitable over local networkLow attack complexityNo patch available for multiple products (end-of-life)Affects process control and safety-critical operationsAllows program manipulation and output hijacking
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (9)
8 with fix1 pending
ProductAffected VersionsFix Status
Data File Manager: v2.12.1 and earlier≤ 2.12.1v2.13.0 and later
FC6A MICROSmart Plus CPU Module: v1.91 and earlier≤ 1.91v2.00 and later
FC6B MICROSmart All-in-One CPU Module: v2.31 and earlier≤ 2.31v2.40 and later
WindEDIT: Lite v1.3.1 and earlier≤ 1.3.1No fix yet
FC6B MICROSmart Plus CPU Module: v2.31 and earlier≤ 2.31v2.40 and later
FT1A Controller SmartAXIS Pro/Lite: v2.31 and earlier≤ 2.31v2.40 and later
WindEDIT Lite: v1.3.1 and earlier≤ 1.3.1v1.4.0 and later
FC6A MICROSmart All-in-One CPU Module: v2.32 and earlier≤ 2.32v2.40 and later
Remediation & Mitigation
0/13
Do now
0/3WORKAROUNDRestrict network access to PLC management interfaces by IP address or MAC address—allow only authorized engineering workstations and administrative devices
WORKAROUNDImplement firewall rules to block unauthorized access to PLC web server ports from outside the plant floor network
WORKAROUNDManage ZLD (Zipped Logic Disk) files with access controls to prevent unauthorized modification or installation of malicious programs
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
HOTFIXUpdate FC6A MICROSmart All-in-One CPU Module to v2.40 or later
HOTFIXUpdate FC6B MICROSmart All-in-One CPU Module to v2.40 or later
HOTFIXUpdate FC6A MICROSmart Plus CPU Module to v2.00 or later
HOTFIXUpdate FC6B MICROSmart Plus CPU Module to v2.40 or later
HOTFIXUpdate FT1A Controller SmartAXIS Pro/Lite to v2.40 or later
HOTFIXUpdate WindLDR to v8.20.0 or later
HOTFIXUpdate WindEDIT Lite to v1.4.0 or later
HOTFIXUpdate Data File Manager to v2.13.0 or later
Long-term hardening
0/2HARDENINGIsolate all PLC networks and remote access devices from the business network using air gaps, firewalls, or dedicated VLANs
HARDENINGIf remote access to PLCs is required, implement secure VPN with strong authentication and keep VPN software updated
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/08a62f19-addb-4f94-93f2-3f751c6d3216