Emerson Proficy Machine Edition
MonitorCVSS 6.6ICS-CERT ICSA-22-228-06Aug 16, 2022
EmersonGE VernovaManufacturing
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Emerson Proficy Machine Edition versions 9.80 and earlier contain multiple vulnerabilities allowing remote hidden code execution on connected PLCs and malicious file upload from PLC to workstations. CVE-2022-2793 involves weak cryptographic authentication in SRTP and SNP protocols. CVE-2022-2792 affects device authentication. CVE-2022-2791, CVE-2022-2790, and CVE-2022-2789 allow unauthorized file uploads without verification. CVE-2022-2788 enables privilege escalation and unauthorized code execution through file upload.
What this means
What could happen
An attacker with local or network access to Proficy Machine Edition could execute hidden code on your PLC, altering control logic, setpoints, or process behavior. Malicious files could be written to the PLC or extracted to connected engineering workstations, compromising the entire control system.
Who's at risk
Manufacturing facilities using Emerson Proficy Machine Edition for PLC programming and maintenance should care. This affects engineering workstations, PLCs, and any device using the affected software for control system development or updates.
How it could be exploited
An attacker with local access to an engineering workstation running Proficy Machine Edition, or with network access to a PLC, could bypass weak authentication in the SNP/SRTP protocols, upload a malicious file to the PLC without verification, and execute arbitrary code that modifies PLC behavior. The attacker could also extract files from the PLC to the workstation to gather control logic or credentials.
Prerequisites
- Local or network access to Proficy Machine Edition engineering workstation or PLC
- User with at least basic privileges to upload files to the PLC
- PLC running Proficy Machine Edition version 9.80 or earlier
- Weak or no cryptographic authentication enabled on SNP/SRTP protocols (CVE-2022-2793)
No patch available for version 9.80 and earlierAffects safety-critical control systems (PLCs)Allows hidden code execution on critical devicesFile upload without verificationMultiple vulnerability chains (6 CVEs)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
Proficy Machine Edition:≤ 9.80No fix (EOL)
Remediation & Mitigation
0/8
Do now
0/3HARDENINGEnable cryptographically secure authentication (SRP-6a) on SRTP and SNP protocols in Proficy Machine Edition configuration
HARDENINGRestrict PLC file upload permissions to verified operators only; maintain a list of authorized users with upload capability
HARDENINGEnable authentication on all PLCs in the network
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HARDENINGImplement physical security controls on engineering workstations and PLC connection points to prevent unauthorized local access
HARDENINGProgram PLCs only from isolated, flat/bridged networks; never program from untrusted or shared networks
HARDENINGInstall Proficy Machine Edition with administrator privileges but configure it to run as a non-administrator user for normal operations
HARDENINGMonitor for unauthorized file uploads to or downloads from PLCs; log all PLC programming and maintenance sessions
Mitigations - no patch available
0/1Proficy Machine Edition: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate Proficy Machine Edition workstations and PLCs from business networks using firewalls and network segmentation
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e835577e-c78f-44de-b6d5-4836b7cf79e3Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.