Kingspan TMS300 CS

Act Now9.8ICS-CERT ICSA-22-256-04Sep 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Kingspan TMS300 CS system does not properly restrict access to application endpoints. An attacker without credentials can view and modify application settings, including thermal control parameters. The vulnerability exists in all versions of the TMS300 CS. Kingspan has not responded to CISA requests to develop a remediation and states no fix is planned.

What this means

What could happen

An attacker could bypass authentication and view or change system settings on your TMS300 CS thermal management system, potentially altering temperature control setpoints or disabling safety functions.

Who's at risk

Organizations operating Kingspan TMS300 CS thermal management and monitoring systems, commonly used in data centers, commercial HVAC systems, and industrial facilities for temperature control. This impacts anyone relying on the TMS300 for process temperature setpoint management or safety system coordination.

How it could be exploited

An attacker with network access to the TMS300 CS device can connect directly to unprotected endpoints and submit requests to view or modify application settings without providing any credentials. No authentication mechanism prevents access.

Prerequisites

Network access to the TMS300 CS device (typically on port 80 or 443 for HTTP/HTTPS endpoints)
Device must be reachable from the attacker's network location

Remotely exploitableNo authentication requiredLow complexityNo patch availableAffects safety-relevant systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

TMS300 CS: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate the TMS300 CS device on a separate network segment behind a firewall; block all incoming connections from business networks and the Internet

WORKAROUNDIf remote access is required, implement a VPN with authentication and encryption; restrict access to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to the device and log all access attempts for detection of suspicious activity

Long-term hardening

0/1

HOTFIXContact Kingspan customer support to determine if a future firmware update will address the authentication issue

CVEs (1)

CVE-2022-2757

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/47cfac64-f083-4084-9ae5-0aa9ac0e78d5