Black Box KVM

Plan PatchCVSS 7.5ICS-CERT ICSA-23-010-01Jan 10, 2023

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability (CWE-22) in Black Box KVM switches allows unauthenticated network-local attackers to read sensitive data on the device's web server. Affected models include ACR1000A-R-R2, ACR1000A-T-R2, ACR1002A-T, ACR1002A-R, and ACR1020A-T running firmware version 3.4.31307. The vulnerability is not remotely exploitable from the internet.

What this means

What could happen

An attacker with network access to a Black Box KVM switch could read sensitive data stored on the device's web interface, potentially exposing credentials or configuration information used to manage operator workstations and servers.

Who's at risk

Data center and control room operators managing facilities with Black Box KVM switches (ACR1000A, ACR1002A, ACR1020A series). This includes water authorities, electric utilities, and other critical infrastructure facilities that use KVMs to manage operator workstations, engineering systems, and server access from central locations.

How it could be exploited

An attacker must be on the same network as the KVM switch and can access its web interface without authentication to retrieve sensitive files or data. This requires the KVM to be accessible from the attacker's network position (not remotely from the internet).

Prerequisites

Network access to the KVM switch's IP address and web server port
No valid credentials required

no authentication requiredlow complexityno patch available (at time of advisory)sensitive credentials at risk

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

KVM Switches and Extenders: Black Box KVM ACR1020A-T: Firmware3.4.31307v3.6+

KVM Switches and Extenders: Black Box KVM ACR1000A-R-R2: Firmware3.4.31307v3.6+

KVM Switches and Extenders: Black Box KVM ACR1000A-T-R2: Firmware3.4.31307v3.6+

KVM Switches and Extenders: Black Box KVM ACR1002A-T: Firmware3.4.31307v3.6+

KVM Switches and Extenders: Black Box KVM ACR1002A-R: Firmware3.4.31307v3.6+

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate KVM switches from business networks and place behind firewalls with restricted inbound access

HARDENINGDisable or restrict direct internet access to KVM web interfaces; require VPN or jump-host access for remote management

HARDENINGAudit network connectivity of KVM devices to verify they are not accessible from untrusted network segments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Black Box KVM firmware to version 3.6 or later

CVEs (1)

CVE-2022-4636

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bbcec959-09a0-4f2c-aa8a-ace8516b980a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.