OTPulse
FeedAboutContact

Control By Web X-400, X-600M

Act Now9.1ICS-CERT ICSA-23-040-01Feb 9, 2023
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

Control By Web X-400 and X-600M devices contain two vulnerabilities (CWE-79 cross-site scripting and CWE-94 arbitrary code execution) that could allow an attacker with high-level administrative privileges to inject malicious JavaScript and execute arbitrary code remotely, potentially resulting in loss of sensitive information.

What this means
What could happen
An attacker with admin-level access could run arbitrary code on the device, potentially allowing them to steal configuration data or monitoring information from your facility network.
Who's at risk
This affects any facility using Control By Web X-400 or X-600M environmental monitoring and control devices. These are commonly used in data centers, HVAC systems, server rooms, and utility substations for temperature, humidity, and access monitoring. Any organization relying on these devices for facility monitoring and control decisions should prioritize patching.
How it could be exploited
An attacker with administrative credentials (or who has obtained them through social engineering or prior compromise) accesses the web interface of the X-400 or X-600M device and injects malicious JavaScript through input fields. This code executes in the context of the device, allowing command execution or data theft.
Prerequisites
  • Attacker must have valid administrative credentials for the device
  • Network access to the web administration interface (typically port 80 or 443)
  • Device must be exposed to an untrusted network or accessible through a compromised internal connection
Remotely exploitableAffects critical facility infrastructureRequires administrative credentials—impacts organizations using default or weak passwordsNo active public exploits yet, but code execution severity is high
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
X-400, X-600M: X-400: All firmware< 2.8v2.8 or later
X-400, X-600M: X-600M: All firmware< 1.16.00v2.8 or later
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGReplace default administrator password with a strong, unique password
WORKAROUNDRestrict network access to the device web interface to trusted administrative networks only using firewall rules or network segmentation
HARDENINGDo not expose the device directly to the Internet; use VPN for any required remote access
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate X-400 firmware to v2.8 or later
HOTFIXUpdate X-600M firmware to v1.16.00 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0dc614de-18a5-4817-a142-9216909642c1
Control By Web X-400, X-600M | CVSS 9.1 - OTPulse