Measuresoft ScadaPro Server and Client

Monitor7.8ICS-CERT ICSA-22-235-06Aug 23, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Measuresoft ScadaPro Server and Client versions are vulnerable to multiple memory corruption and buffer overflow vulnerabilities (CWE-121, CWE-416, CWE-822, CWE-59) that could allow arbitrary code execution, privilege escalation, or denial-of-service. All versions are affected. No patch is currently available. Exploitation requires local access and user interaction to open a malicious project file. The vulnerability is not remotely exploitable.

What this means

What could happen

An attacker with local access could execute arbitrary code on a ScadaPro server or engineering workstation, potentially gaining control of process logic, altering setpoints, or crashing the SCADA system. This could disrupt energy operations and process visibility.

Who's at risk

Energy sector organizations running Measuresoft ScadaPro Server or Client software for SCADA monitoring and control should be concerned. This affects both the server components and the engineering workstations where operators and engineers design and modify control logic and process setpoints.

How it could be exploited

An attacker must trick a user into opening a malicious project file on a machine running ScadaPro Server or Client. Once opened, the file exploits buffer overflow and memory corruption vulnerabilities (CWE-121, CWE-416, CWE-822, CWE-59) to execute arbitrary code with the privileges of the user who opened it, or potentially escalate privileges on the system.

Prerequisites

Local or physical access to a computer running ScadaPro Server or Client
User interaction required: target user must open a malicious project file from an untrusted source
No valid credentials needed

No patch availableRequires user interaction and local accessBuffer overflow and memory corruption vulnerabilitiesCould lead to arbitrary code execution and privilege escalationAffects SCADA control system

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

ScadaPro Server and Client: All VersionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDOnly open ScadaPro project files from trusted, known sources. Establish a controlled process for project file distribution and validation.

HARDENINGEducate operators and engineers on risks of opening unsolicited project files, especially from external email or untrusted sources.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement file integrity monitoring on project file directories to detect unauthorized or unexpected file modifications.

HOTFIXMonitor Measuresoft support channels for patches. When available, install ScadaPro updates in a controlled maintenance window.

Mitigations - no patch available

0/1

ScadaPro Server and Client: All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate ScadaPro engineering workstations from general office email and web browsing networks. Use air-gapped or segregated network access.

CVEs (5)

CVE-2022-2894 CVE-2022-2895 CVE-2022-2896 CVE-2022-2897 CVE-2022-2898

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0f68e0f1-45b0-49d5-aaea-c6010febed63