Emerson OpenBSI

Act Now9.6ICS-CERT ICSA-22-221-03Aug 9, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Emerson OpenBSI versions 5.9 SP3 and earlier contain two critical vulnerabilities: (1) CVE-2022-29959 - the User Management Tool uses weak or no credential validation, allowing unauthorized access to RTU credentials; and (2) CVE-2022-29960 - system credentials, engineering files, and utilities are protected with hardcoded DES encryption keys, allowing credential recovery. Both vulnerabilities can lead to remote code execution, controller configuration changes, or denial-of-service on RTU devices controlling critical infrastructure. No vendor patch is available; Emerson has discontinued support for OpenBSI and recommends removing the vulnerable User Management Tool utility.

What this means

What could happen

An attacker with network access to OpenBSI could execute arbitrary code on the RTU controller, change operational setpoints and configurations, or crash the system, potentially disrupting water treatment, distribution, or power generation processes.

Who's at risk

Water treatment facilities, municipal utilities, and power plants using Emerson OpenBSI to manage Remote Terminal Units (RTUs). OpenBSI is commonly used to configure and monitor RTU controllers that control pumps, valves, generators, and other critical infrastructure equipment.

How it could be exploited

An attacker on the network (or via the internet if OpenBSI is exposed) can exploit weak cryptography and unsupported tools to gain unauthorized access to RTU credentials and system files. Once authenticated, the attacker can upload malicious code or modify configuration files to achieve remote code execution on the RTU controller.

Prerequisites

Network access to OpenBSI interface (HTTP/HTTPS port, typically 80 or 443)
No valid credentials required if device is exposed to internet or untrusted network
Device running vulnerable OpenBSI version 5.9 SP3 or earlier

Remotely exploitableLow complexity attackNo authentication required if device is internet-exposedNo vendor patch available (end-of-life product)Affects critical operational equipmentHardcoded cryptographic keys weaken credential protection

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

OpenBSI:≤ 5.9 SP3No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGDisable or remove the OpenBSI User Management Tool: delete SecUsers.ini file and UserMngtTool.exe from the OpenBSI installation directory

HARDENINGBack up SecUsers.ini securely before deleting if the User Management Tool has been used

HARDENINGEnsure OpenBSI and all RTU devices are not exposed to the internet—verify firewall rules block inbound access on OpenBSI ports from WAN

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access to OpenBSI is required, configure a VPN with current patches and strong authentication; limit VPN access to engineering personnel only

HARDENINGReview OpenBSI Security documentation (Manual D301414x012 Section 6.1) and implement recommended network security controls

Mitigations - no patch available

0/1

OpenBSI: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate OpenBSI and RTU devices from the business network using network segmentation; place control system devices behind a firewall with restricted access rules

CVEs (2)

CVE-2022-29959 CVE-2022-29960

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e5b259b3-f5c7-451e-ba1e-099eb86bfad7