Haas Controller

Plan PatchCVSS 9.8ICS-CERT ICSA-22-298-01Oct 25, 2022

Manufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Haas Controller (firmware version 100.20.000.1110) contains multiple vulnerabilities in the Ethernet Q Commands service that allow unauthenticated remote code execution. The service does not require authentication for command submission, does not encrypt communications, and does not properly validate or restrict commands. These weaknesses allow an attacker to remotely execute arbitrary commands on the controller, causing denial-of-service, tool damage, quality defects, or complete loss of machine control. The vulnerabilities stem from missing authentication (CWE-306), weak credential handling (CWE-1220), and unencrypted communications (CWE-319).

What this means

What could happen

An attacker could execute commands on the Haas Controller, causing production line shutdowns, tool damage, quality defects, or complete loss of control over the manufacturing process.

Who's at risk

Manufacturing facilities operating Haas CNC machines and machining centers should prioritize this advisory. Any shop or production environment using Haas Controller firmware version 100.20.000.1110 is at risk of production interruption and tool damage.

How it could be exploited

An attacker with network access to port 21 or the Ethernet Q Commands service (typically port 21 for FTP or custom ports) can send unauthenticated commands without credentials. The attacker can inject arbitrary commands that execute on the controller with no authentication required, allowing remote code execution and control of the CNC machine.

Prerequisites

Network access to the Haas Controller (usually internal network or Internet-exposed)
No credentials required
Ethernet Q Commands service must be enabled and reachable

Remotely exploitable from networkNo authentication requiredLow complexity attackHigh CVSS score (9.8)No patch availableAffects safety and production controlMultiple weaknesses (CWE-306 authentication, CWE-1220 credentials, CWE-319 encryption)

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Haas Controller - Haas Controller:100.20.000.1110No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGImplement network firewall rules to restrict access to the Haas Controller to only authorized engineering workstations and disable Internet-facing access

WORKAROUNDEnable authentication on the Ethernet Q Commands service and configure a strong enforced password

WORKAROUNDEnable encryption on all network communications to the controller to prevent password capture and command sniffing

WORKAROUNDRestrict and audit macro write permissions; limit the number of macros that can be created or uploaded to the controller

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate Haas Controller and all CNC machines from the business network; place them on a separate production network with strict ingress/egress controls

Mitigations - no patch available

0/1

Haas Controller - Haas Controller: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement physical access controls; ensure only authorized personnel can access the controller via local ports or USB interfaces

CVEs (3)

CVE-2022-2474 CVE-2022-2475 CVE-2022-41636

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5d3f887b-4a47-43fb-8f4f-2703fe5f3c91

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.