Elcomplus SmartPTT SCADA

Plan PatchCVSS 9.8ICS-CERT ICSA-22-109-04Apr 19, 2022

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SmartPTT SCADA v1.1 contains multiple critical vulnerabilities: - CWE-22: Path traversal allowing unauthorized file system access outside restricted directories - CWE-434: Unrestricted file upload enabling transfer of dangerous file types that the product processes automatically - CWE-285: Improper access control allowing unauthorized access to actions and resources - CWE-79: Potential stored data integrity issues via unsafe database operations These vulnerabilities allow attackers to read sensitive files, upload malicious content for automatic processing, and bypass authorization controls.

What this means

What could happen

An attacker could read configuration files and operational data from your SCADA server, upload and execute malicious code that the system processes automatically, or alter critical control parameters without authorization. This could lead to disruption or manipulation of power distribution, water treatment processes, or other monitored infrastructure.

Who's at risk

Energy sector operators using SmartPTT SCADA for real-time monitoring and control of power generation, distribution, or transmission systems. This includes electric utilities and municipal power authorities running SCADA servers to monitor and manage grid operations, switchgear, and protective equipment. Water authorities using SmartPTT SCADA for treatment plant monitoring are also affected.

How it could be exploited

An attacker with network access to the SmartPTT SCADA server can exploit the path traversal vulnerability to read sensitive files, or use the file upload vulnerability to inject malicious files that the product automatically processes. No authentication is required. Once files are uploaded, the product executes them, allowing arbitrary code execution on the SCADA server.

Prerequisites

Network access to SmartPTT SCADA server (HTTP/HTTPS port)
No authentication required
SmartPTT SCADA version 1.1 deployed

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS 9.8Affects SCADA/supervisory controlPath traversal and code execution combinationDefault or insecure file handling

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

SmartPTT SCADA: v1.11.12.3.4+

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to SmartPTT SCADA server—place it behind a firewall and block all inbound access except from authorized engineering workstations and administrative hosts

WORKAROUNDDisable or restrict the file upload feature in SmartPTT SCADA if not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SmartPTT SCADA to version 2.3.4 or later

Long-term hardening

0/3

HARDENINGIsolate the SCADA network from the business network using a DMZ or air-gap configuration

HARDENINGImplement network segmentation to limit lateral movement if SCADA server is compromised

HARDENINGMonitor SCADA server logs for suspicious file access patterns, upload attempts, or unauthorized process execution

CVEs (4)

CVE-2021-43932 CVE-2021-43939 CVE-2021-43934 CVE-2021-43930

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb1773b9-c3e1-4911-8f81-c0dd7e16f820

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.