Elcomplus SmartICS

Plan Patch8.8ICS-CERT ICSA-22-174-05Jun 23, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Elcomplus SmartICS v2.3.4.0 and earlier contain vulnerabilities (CWE-79 cross-site scripting, CWE-23 path traversal, CWE-284 improper access control) that allow authenticated users to view unauthorized files on the system or terminate processes. An attacker with valid SmartICS credentials could exploit these issues to access sensitive data, configuration files containing credentials, or disrupt process control by stopping critical services.

What this means

What could happen

An attacker with authenticated access to SmartICS could read sensitive files or terminate running processes, disrupting ICS operations or exposing configuration and credential data.

Who's at risk

Industrial control system operators running Elcomplus SmartICS, particularly water treatment, power distribution, and other critical infrastructure facilities that use SmartICS for process monitoring and control.

How it could be exploited

An attacker with valid SmartICS user credentials can authenticate to the system over the network and exploit path traversal (CWE-23) or cross-site scripting (CWE-79) vulnerabilities to access unauthorized files or trigger process termination through the web interface or command execution functionality.

Prerequisites

Valid SmartICS user credentials (engineering or operator account)
Network access to SmartICS management interface (typically port 80/443)
SmartICS v2.3.4.0 or earlier running

Remotely exploitableRequires valid credentialsLow attack complexityNo patch available at time of advisoryAffects control system operations

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

SmartICS: v2.3.4.02.3.4.02.4

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to SmartICS management interface to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SmartICS to Version 2.4 or later from the official Elcomplus website

HARDENINGReview and enforce strong password policies for all SmartICS user accounts

Long-term hardening

0/2

HARDENINGPlace SmartICS on a segregated ICS network segment isolated from business network and Internet

HARDENINGIf remote access is required, use VPN with current security patches and network segmentation

CVEs (3)

CVE-2022-2140 CVE-2022-2106 CVE-2022-2088

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6a3e4271-69b5-442f-b2e3-585c28fd7b84