mySCADA myPRO

Act Now9.9ICS-CERT ICSA-22-235-03Aug 23, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

mySCADA myPRO versions 8.26.0 and earlier contain an improper input validation vulnerability (CWE-77) that allows an authenticated attacker to execute arbitrary operating system commands through the engineering interface. Successful exploitation grants direct access to run commands on the host operating system with the privileges of the myPRO application process, potentially allowing modification of process logic, control setpoints, or system state.

What this means

What could happen

An attacker with engineering access could execute arbitrary operating system commands on the myPRO controller, potentially altering process logic, changing setpoints, or stopping critical operations at energy facilities.

Who's at risk

Energy utilities and industrial facilities relying on mySCADA myPRO controllers for process automation and control. This includes municipal and private electric utilities, power generation facilities, and renewable energy systems that use myPRO for SCADA or PLC functions.

How it could be exploited

An attacker with valid engineering credentials authenticates to the myPRO controller over the network and exploits improper input validation to inject and execute operating system commands through the application interface. The attacker can then run arbitrary commands with the privileges of the myPRO process on the host system.

Prerequisites

Valid engineering workstation credentials or access to an authenticated myPRO session
Network access to the myPRO controller on the port where the engineering interface listens (typically local network or VPN)
myPRO version 8.26.0 or earlier installed

Remotely exploitable over networkRequires valid credentials (reduces but does not eliminate risk)Low attack complexityCritical CVSS score (9.9)No patch available at time of advisory publicationCould affect safety and operational integrity

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

myPRO:≤ 8.26.08.27.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to myPRO engineering interfaces using firewall rules—allow only from designated engineering workstations and block all Internet-facing access

HARDENINGIf remote engineering access is required, route it through a VPN with current security patches and strong authentication

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade myPRO to version 8.27.0 or higher

HARDENINGAudit current myPRO user accounts and revoke or reset credentials for inactive engineering staff

Long-term hardening

0/1

HARDENINGSegment myPRO controllers from business networks and ensure they are not directly reachable from the Internet

CVEs (1)

CVE-2022-2234

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/13a6d73a-0a4e-4efe-a186-71c92259cf48