Emerson ControlWave

Act Now9.1ICS-CERT ICSA-22-221-02Aug 9, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Emerson ControlWave contains a vulnerability that allows remote attackers without authentication to manipulate files, execute arbitrary code, or cause denial-of-service. The vulnerability is remotely exploitable over the network with low complexity and does not require authentication or user interaction.

What this means

What could happen

An attacker could remotely upload malicious firmware to the RTU, gaining code execution on the device and the ability to alter process logic, change setpoints, or stop critical water/electric operations. The device offers no way to verify firmware integrity without manual administrative verification.

Who's at risk

Water and electric utilities operating Emerson ControlWave RTUs (Remote Terminal Units) in any version. ControlWave is commonly deployed in SCADA systems for remote monitoring and control of generation, distribution, and water treatment facilities. Any organization where firmware integrity is critical to safe operations should consider this high-risk.

How it could be exploited

An attacker with network access to the ControlWave RTU could directly upload a malicious firmware image via the remote firmware download feature without any credentials. If successful, the attacker gains full code execution on the RTU, allowing arbitrary commands including process manipulation or denial-of-service.

Prerequisites

Network access to the ControlWave RTU (no specific port mentioned; assume Modbus TCP 502 or vendor proprietary protocol)
No credentials required
Remote firmware download feature must be enabled (default or typical configuration)
Attacker must craft firmware image that ControlWave will accept as valid

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects critical operational control

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

ControlWave: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/5

HARDENINGEnable the hardware switch to block remote firmware download if your ControlWave RTU has one installed

HARDENINGSet the system variable '_APPLICATION_LOCKED' to TRUE to disable remote firmware download capability

HARDENINGImplement firewall rules to block inbound access to the ControlWave RTU from any network except authorized engineering workstations on known ports

HARDENINGIf remote access to the RTU is required, require traffic only through a VPN tunnel and restrict to specific management IPs

WORKAROUNDBefore any firmware update, manually verify MD5/SHA256 hashes against Emerson SupportNet published values to confirm authenticity and integrity

Mitigations - no patch available

0/1

ControlWave: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the ControlWave RTU and all SCADA devices on a dedicated control network physically separated from business IT networks

CVEs (1)

CVE-2022-30262

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/91eea0f3-ad00-482e-86b9-17b6ef9100b4