OTPulse
FeedAboutContact

Delta Electronics DVW-W02W2-E2

Act Now9.9ICS-CERT ICSA-23-033-04Feb 2, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A command injection vulnerability in the Delta Electronics DVW-W02W2-E2 device allows an attacker with low-privilege user credentials to execute arbitrary code with root privileges. This could enable the attacker to send malicious commands to all devices managed by the DVW-W02W2-E2, potentially disrupting operations across multiple sites. The vulnerability exists in versions prior to 2.5.2.

What this means
What could happen
An attacker with low-level user credentials could gain root access to the DVW-W02W2-E2 device and send malicious commands to any networked devices it manages, potentially disrupting industrial operations or causing physical harm.
Who's at risk
This affects operators of Delta Electronics DVW-W02W2-E2 wide-area networked device management controllers used in water, electric, gas, and other critical infrastructure environments. Organizations relying on this device to manage remote sites or control devices are at risk if the device can be accessed by unauthorized users.
How it could be exploited
An attacker with valid low-privilege user credentials can exploit this command injection vulnerability to execute arbitrary code on the DVW-W02W2-E2 with root privileges. Once compromised, the device can be used as a pivot point to issue commands to all managed devices on the network.
Prerequisites
  • Valid low-privilege user account credentials on the DVW-W02W2-E2
  • Network access to the DVW-W02W2-E2 management interface
remotely exploitablelow complexityhigh EPSS score (22.6%)affects management of multiple industrial systemsallows escalation to root access
Exploitability
High exploit probability (EPSS 22.6%)
Affected products (1)
ProductAffected VersionsFix Status
DVW-W02W2-E2: DVW-W02W2-E2:2.422.5.2
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to the DVW-W02W2-E2 management interface using firewall rules; only allow connections from authorized engineering workstations and control networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DVW-W02W2-E2 firmware to version 2.5.2 or later
Long-term hardening
0/2
HARDENINGImplement VPN or other secure remote access methods if remote management is required
HARDENINGIsolate the DVW-W02W2-E2 and all managed devices from business networks and Internet-facing systems
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/156a7ff3-dcd9-4b72-b482-206f6f9b2126
Delta Electronics DVW-W02W2-E2 | CVSS 9.9 - OTPulse