Softing Secure Integration Server

Act NowCVSS 9.8ICS-CERT ICSA-22-228-04Aug 16, 2022

Softing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Softing products allow remote code execution and denial of service. Affected products include Secure Integration Server (≤1.22), edgeAggregator (3.1), edgeConnector (3.1), OPC Suite (5.2), OPC UA C++ Server SDK (6), and uaGate (1.74). The vulnerabilities stem from improper input validation (CWE-125), insecure component loading (CWE-427), insufficient authentication (CWE-287), path traversal (CWE-23), unencrypted transmission (CWE-319), null pointer dereference (CWE-476), and integer underflow (CWE-191). An unauthenticated attacker can send specially crafted network requests to trigger arbitrary code execution or service crashes.

What this means

What could happen

An attacker with network access to the affected Softing products could execute arbitrary code or cause denial of service, potentially halting data aggregation, connectivity, or OPC UA communications that your control systems depend on.

Who's at risk

Water authorities and utilities operating Softing integration products for OPC UA data aggregation, connectivity, or SCADA integration. Primary concern is edgeAggregator, edgeConnector, and Secure Integration Server running in control system networks. Equipment affected includes gateways, aggregators, and integration servers that connect field devices or legacy systems to SCADA or HMI platforms.

How it could be exploited

An attacker on the network sends a crafted request to the Softing product (typically port 9000 for HTTP or HTTPS) without authentication. The product fails to validate input or enforces insufficient access controls, allowing the attacker to execute commands or crash the service. The low complexity means straightforward off-the-shelf tools could be used.

Prerequisites

Network-layer access to the affected Softing product
Knowledge of the product's IP address and port (typically 9000)
Default credentials if admin password has not been changed

remotely exploitableno authentication requiredlow complexityhigh EPSS score (68.6%)affects data integration critical to operations

Exploitability

Likely to be exploited — EPSS score 68.6%

Metasploit module available — weaponized exploitView module ↗

Affected products (6)

1 with fix5 pending

ProductAffected VersionsFix Status

edgeAggregator:3.1No fix yet

edgeConnector:3.1No fix yet

OPC Suite:5.2No fix yet

OPC UA C++ Server SDK:6No fix yet

uaGate:1.74No fix yet

Secure Integration Server:≤ 1.221.30

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGChange or delete the default admin user account and set a strong admin password

WORKAROUNDConfigure Windows firewall to block inbound traffic to port 9000

WORKAROUNDDisable HTTP server in NGINX configuration; use HTTPS only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Softing Secure Integration Server to version 1.30 or later

HOTFIXUpdate edgeAggregator, edgeConnector, OPC Suite, OPC UA C++ Server SDK, and uaGate to patched versions from Softing

Long-term hardening

0/1

HARDENINGIsolate Softing products from the business network and Internet; place behind firewall with restricted access

CVEs (9)

CVE-2022-1069 CVE-2022-2334 CVE-2022-2336 CVE-2022-1373 CVE-2022-2338 CVE-2022-1748 CVE-2022-2337 CVE-2022-2547 CVE-2022-2335

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2f8e6516-03ec-4868-99b6-8b50844fd5e7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.