Distributed Data Systems WebHMI

Monitor6.2ICS-CERT ICSA-22-181-04Jun 30, 2022

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

Distributed Data Systems WebHMI versions 4.1.1.7662 and prior contain two vulnerabilities: (1) arbitrary OS command injection (CWE-78) allowing an authenticated administrator to execute commands on the host system, and (2) cross-site scripting (CWE-79) allowing injection of malicious scripts that affect other logged-in users. Successful exploitation requires administrative privileges within the WebHMI application. No vendor patch is currently available.

What this means

What could happen

An authenticated administrator in WebHMI could execute arbitrary commands on the underlying operating system or perform cross-site scripting attacks affecting other logged-in users, potentially compromising the HMI and connected control processes.

Who's at risk

Manufacturing facilities using Distributed Data Systems WebHMI for process monitoring and control should prioritize this. This includes facilities with WebHMI as the primary or secondary HMI for PLCs, RTUs, or other control devices on the production floor.

How it could be exploited

An attacker with valid administrative credentials (or who has compromised an admin account) logs into WebHMI and injects malicious input via the web interface. The input is either executed as an OS command (CWE-78) or reflected in the page to attack other users (CWE-79, stored XSS). No network segmentation is required if the HMI is internet-facing or accessible from an attacker's network.

Prerequisites

Valid WebHMI administrative account credentials
Network access to the WebHMI web interface (port 80/443 or custom)
User interaction required (for XSS attacks against other logged-in users)

Remotely exploitable (if internet-facing or on same network)Requires valid administrative credentialsNo patch available from vendorCross-site scripting could affect multiple operatorsLow exploit complexity once credentials are obtained

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

WebHMI: 4.1.1.7662 (and possibly prior versions)4.1.1.7662 (and possibly prior versions)No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate WebHMI behind a firewall and restrict network access to authorized engineering workstations only

HARDENINGDisable internet-facing access to WebHMI; use VPN with multi-factor authentication if remote engineering access is required

HARDENINGEnforce strong, unique administrative credentials and limit the number of administrative accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor WebHMI logs for suspicious input patterns or command execution attempts

Mitigations - no patch available

0/1

WebHMI: 4.1.1.7662 (and possibly prior versions) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the control system network from the business network to limit lateral movement

CVEs (2)

CVE-2022-2254 CVE-2022-2253

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/26220ac8-16ff-4c18-84a2-aec3c4a4c3e5