OTPulse

Measuresoft ScadaPro Server

MonitorCVSS 7.8ICS-CERT ICSA-22-265-01Sep 22, 2022
Energy
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Measuresoft ScadaPro Server versions up to 6.7 contain a privilege escalation vulnerability in the ORCHESTRATOR service. A local user with limited privileges can modify the service binary path without proper access controls, allowing them to point the service to a malicious executable. Since ORCHESTRATOR runs as SYSTEM, restarting the service executes the attacker's code with full system authority. The vendor has not released a patch; Measuresoft recommends applying Windows security descriptor restrictions to the ORCHESTRATOR service to prevent non-administrative users from modifying its configuration.

What this means
What could happen
A user with local access to a ScadaPro Server can escalate privileges to SYSTEM level by modifying the ORCHESTRATOR service configuration, allowing them to run arbitrary commands with full system authority.
Who's at risk
This affects operators and system administrators managing Measuresoft ScadaPro Server installations in energy sector facilities. Anyone responsible for SCADA data collection, processing, or archival systems should be concerned, as ScadaPro Server is often deployed as a historian or data aggregator in generation, transmission, and distribution control networks.
How it could be exploited
An attacker with a local account on the ScadaPro Server system can modify the service binary path of the ORCHESTRATOR service without proper access controls. The attacker can then point this path to a malicious executable and restart the service, which runs as SYSTEM, executing the attacker's code with full privileges.
Prerequisites
  • Local user account on the ScadaPro Server system
  • Limited (non-administrative) user privileges
  • Ability to modify ORCHESTRATOR service configuration
  • Access to restart or stop/start the ORCHESTRATOR service
No patch available—vendor has not released a fixLocal privilege escalation to SYSTEM levelLow attack complexityAffects critical SCADA historian/data collection function
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
ScadaPro Server:6.7No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDApply the ORCHESTRATOR service permissions change using the provided sc sdset command to restrict configuration access to SYSTEM and Administrators only
Mitigations - no patch available
0/3
ScadaPro Server: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement least-privilege user principle—ensure users have only the minimum permissions required for their role
HARDENINGMonitor and audit local user accounts with access to the ScadaPro Server system; remove unnecessary accounts
HARDENINGRestrict physical and logical access to the ScadaPro Server to authorized personnel only
View full CISA ICS-CERT advisory
API: /api/v1/advisories/7067ad15-664e-4fd8-8757-4c4795c164c6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Measuresoft ScadaPro Server | CVSS 7.8 - OTPulse