SAUTER EY-modulo 5 Building Automation Stations

Plan Patch8.8ICS-CERT ICSA-23-082-03Apr 3, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SAUTER EY-modulo 5 Building Automation Station (EY-AS525F001) with moduWeb contains multiple vulnerabilities (CWE-79 cross-site scripting, CWE-319 unencrypted communication, CWE-434 unrestricted file upload) that allow remote privilege escalation, unauthorized execution of actions, denial of service, and retrieval of sensitive building configuration data. The product does not support encryption on its communication protocols and is not suitable for open networks. SAUTER states this product line will not be patched and recommends upgrading to EY6AS80F021 with moduWeb Unity.

What this means

What could happen

An attacker could gain unauthorized control of your building automation system, alter temperature or access controls, read sensitive building data, or cause denial of service affecting HVAC and security operations.

Who's at risk

Healthcare facilities and other buildings relying on SAUTER EY-modulo 5 building automation stations for HVAC, lighting, and access control. This affects legacy EY-AS525F001 devices with moduWeb that lack encryption and are accessible on network segments.

How it could be exploited

An attacker on the network sends a specially crafted request (leveraging CWE-79 cross-site scripting, CWE-319 unencrypted communication, or CWE-434 unrestricted file upload) to the moduWeb interface. Since the device lacks encryption and requires only basic network access, the attacker can intercept traffic, inject commands, or upload malicious files without authentication to alter building settings or extract configuration data.

Prerequisites

Network access to the EY-AS525F001 device on the same network segment or open network
No authentication or valid credentials required for basic exploitation
Device running moduWeb interface without encryption enabled

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for legacy productUnencrypted communicationAffects building critical systems (HVAC, access control)Legacy/end-of-life product

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

EY-modulo 5 Building Automation Station: EY-AS525F001 with moduWebEY-AS525F001No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGSegment the building automation network from general IT networks using a firewall or VLAN; restrict access to authorized engineering workstations only

WORKAROUNDDisable or restrict remote access to the moduWeb interface; require VPN or DMZ access if remote management is necessary

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXPlan and budget for replacement of EY-AS525F001 with EY6AS80F021 running moduWeb Unity, which supports encrypted TLS communication

Long-term hardening

0/1

HARDENINGImplement monitoring and logging of all traffic to and from the building automation device to detect unauthorized access attempts

CVEs (5)

CVE-2023-28650 CVE-2023-28655 CVE-2023-22300 CVE-2023-27927 CVE-2023-28652

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3545e6f1-0cbf-4394-80b6-85a369b7f0f5