OTPulse
FeedAboutContact

Black Box KVM

Plan Patch7.5ICS-CERT ICSA-23-010-01Jan 10, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A path traversal vulnerability (CWE-22) in Black Box KVM switches allows unauthenticated network-local attackers to read sensitive data on the device's web server. Affected models include ACR1000A-R-R2, ACR1000A-T-R2, ACR1002A-T, ACR1002A-R, and ACR1020A-T running firmware version 3.4.31307. The vulnerability is not remotely exploitable from the internet.

What this means
What could happen
An attacker with network access to a Black Box KVM switch could read sensitive data stored on the device's web interface, potentially exposing credentials or configuration information used to manage operator workstations and servers.
Who's at risk
Data center and control room operators managing facilities with Black Box KVM switches (ACR1000A, ACR1002A, ACR1020A series). This includes water authorities, electric utilities, and other critical infrastructure facilities that use KVMs to manage operator workstations, engineering systems, and server access from central locations.
How it could be exploited
An attacker must be on the same network as the KVM switch and can access its web interface without authentication to retrieve sensitive files or data. This requires the KVM to be accessible from the attacker's network position (not remotely from the internet).
Prerequisites
  • Network access to the KVM switch's IP address and web server port
  • No valid credentials required
no authentication requiredlow complexityno patch available (at time of advisory)sensitive credentials at risk
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
KVM Switches and Extenders: Black Box KVM ACR1020A-T: Firmware3.4.31307v3.6 or later
KVM Switches and Extenders: Black Box KVM ACR1000A-R-R2: Firmware3.4.31307v3.6 or later
KVM Switches and Extenders: Black Box KVM ACR1000A-T-R2: Firmware3.4.31307v3.6 or later
KVM Switches and Extenders: Black Box KVM ACR1002A-T: Firmware3.4.31307v3.6 or later
KVM Switches and Extenders: Black Box KVM ACR1002A-R: Firmware3.4.31307v3.6 or later
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGIsolate KVM switches from business networks and place behind firewalls with restricted inbound access
HARDENINGDisable or restrict direct internet access to KVM web interfaces; require VPN or jump-host access for remote management
HARDENINGAudit network connectivity of KVM devices to verify they are not accessible from untrusted network segments
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Black Box KVM firmware to version 3.6 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/bbcec959-09a0-4f2c-aa8a-ace8516b980a