Emerson Proficy Machine Edition

Monitor6.6ICS-CERT ICSA-22-228-06Aug 16, 2022

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Emerson Proficy Machine Edition versions 9.80 and earlier contain multiple vulnerabilities allowing remote hidden code execution on connected PLCs and malicious file upload from PLC to workstations. CVE-2022-2793 involves weak cryptographic authentication in SRTP and SNP protocols. CVE-2022-2792 affects device authentication. CVE-2022-2791, CVE-2022-2790, and CVE-2022-2789 allow unauthorized file uploads without verification. CVE-2022-2788 enables privilege escalation and unauthorized code execution through file upload.

What this means

What could happen

An attacker with local or network access to Proficy Machine Edition could execute hidden code on your PLC, altering control logic, setpoints, or process behavior. Malicious files could be written to the PLC or extracted to connected engineering workstations, compromising the entire control system.

Who's at risk

Manufacturing facilities using Emerson Proficy Machine Edition for PLC programming and maintenance should care. This affects engineering workstations, PLCs, and any device using the affected software for control system development or updates.

How it could be exploited

An attacker with local access to an engineering workstation running Proficy Machine Edition, or with network access to a PLC, could bypass weak authentication in the SNP/SRTP protocols, upload a malicious file to the PLC without verification, and execute arbitrary code that modifies PLC behavior. The attacker could also extract files from the PLC to the workstation to gather control logic or credentials.

Prerequisites

Local or network access to Proficy Machine Edition engineering workstation or PLC
User with at least basic privileges to upload files to the PLC
PLC running Proficy Machine Edition version 9.80 or earlier
Weak or no cryptographic authentication enabled on SNP/SRTP protocols (CVE-2022-2793)

No patch available for version 9.80 and earlierAffects safety-critical control systems (PLCs)Allows hidden code execution on critical devicesFile upload without verificationMultiple vulnerability chains (6 CVEs)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Proficy Machine Edition:≤ 9.80No fix (EOL)

Remediation & Mitigation

0/8

Do now

0/3

HARDENINGEnable cryptographically secure authentication (SRP-6a) on SRTP and SNP protocols in Proficy Machine Edition configuration

HARDENINGRestrict PLC file upload permissions to verified operators only; maintain a list of authorized users with upload capability

HARDENINGEnable authentication on all PLCs in the network

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HARDENINGImplement physical security controls on engineering workstations and PLC connection points to prevent unauthorized local access

HARDENINGProgram PLCs only from isolated, flat/bridged networks; never program from untrusted or shared networks

HARDENINGInstall Proficy Machine Edition with administrator privileges but configure it to run as a non-administrator user for normal operations

HARDENINGMonitor for unauthorized file uploads to or downloads from PLCs; log all PLC programming and maintenance sessions

Mitigations - no patch available

0/1

Proficy Machine Edition: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Proficy Machine Edition workstations and PLCs from business networks using firewalls and network segmentation

CVEs (6)

CVE-2022-2793 CVE-2022-2792 CVE-2022-2791 CVE-2022-2790 CVE-2022-2789 CVE-2022-2788

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e835577e-c78f-44de-b6d5-4836b7cf79e3