Keysight N6854A Geolocation server and N6841A RF Sensor software

Act Now9.8ICS-CERT ICSA-22-146-01May 26, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Keysight N6854A Geolocation server and N6841A RF Sensor software versions 2.3.0 and earlier contain insufficient input validation and unsafe deserialization flaws (CWE-23, CWE-502) that allow unauthenticated remote attackers to obtain arbitrary operating system files or execute arbitrary code with system privileges via requests to the unprotected service port.

What this means

What could happen

An attacker could read arbitrary files from the server or execute code with system privileges, potentially allowing them to obtain RF measurement data, control test parameters, or disable monitoring capabilities used in signal analysis and network testing operations.

Who's at risk

Network test and RF measurement operators and system administrators responsible for Keysight N6854A geolocation servers or N6841A RF sensor systems used in signal analysis, spectrum monitoring, and wireless network testing environments. Affects any utility or test facility using these devices for real-time RF data collection or network characterization.

How it could be exploited

An attacker with network access to TCP port 8080 (or the configured KEYSIGHT_SMS_PORT) can send a crafted request to the unprotected geolocation or RF sensor server to trigger arbitrary file access or command execution without needing valid credentials.

Prerequisites

Network access to TCP port 8080 (or the port configured in KEYSIGHT_SMS_PORT environment variable)
The N6854A or N6841A device must be reachable from the attacker's network location

remotely exploitableno authentication requiredlow complexityno patch available for affected versionsCVSS 9.8 critical

Exploitability

Moderate exploit probability (EPSS 1.0%)

Affected products (1)

ProductAffected VersionsFix Status

Keysight N6854A and N6841A RF:≤ 2.3.02.4.0 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDBlock incoming connections to TCP port 8080 (or the port defined by KEYSIGHT_SMS_PORT environment variable) using firewall rules until patching is complete

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Keysight N6854A and N6841A RF devices to firmware version 2.4.0 or later

Long-term hardening

0/2

HARDENINGIsolate the N6854A and N6841A devices from the business network and place them behind firewalls with default-deny inbound policies

HARDENINGEnsure the devices are not accessible from the Internet

CVEs (2)

CVE-2022-1661 CVE-2022-1660

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5410fe08-4224-4f0d-a2f2-305f8f232e8e