Industrial Control Links ScadaFlex II SCADA Controllers
Act Now9.1ICS-CERT ICSA-23-096-01Apr 10, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
ScadaFlex II SCADA controllers contain a file manipulation vulnerability (CWE-73) that allows an authenticated attacker to overwrite, delete, or create arbitrary files on the device. The vulnerability affects all firmware versions from 1.01.01 through 1.03.07. Industrial Control Links has closed their business and indicated this product is end-of-life with no continued support or patches planned.
What this means
What could happen
An authenticated attacker could overwrite, delete, or create files on the SCADA controller, potentially disrupting process control or safety operations. With no vendor fix available and the company closing, this product is effectively unsupported.
Who's at risk
Energy and manufacturing facilities operating ScadaFlex II SCADA controllers for process automation and critical control functions. This includes electric utilities, water treatment plants, chemical processing, and manufacturing plants that rely on these controllers for real-time operations.
How it could be exploited
An attacker with valid credentials to the ScadaFlex II web interface could exploit the file manipulation vulnerability to alter or delete critical control software, configuration files, or safety logic. The attack requires network access to the controller and authentication credentials, which could be obtained through phishing, credential compromise, or default credentials if not changed.
Prerequisites
- Network access to the ScadaFlex II web interface (typically port 80 or 443)
- Valid authentication credentials for the SCADA controller
- Knowledge of the file structure and paths on the affected device
No patch available - vendor closing businessRemotely exploitable over networkHigh CVSS score (9.1)High EPSS score (48%)Affects critical control functionsRequires valid credentials but vulnerable to compromise
Exploitability
High exploit probability (EPSS 48.0%)
Affected products (6)
6 pending
ProductAffected VersionsFix Status
SW: 1.03.07 (build 317), WebLib1.03.07 (build 317)No fix yet
SW: 1.02.20 (build 286), WebLib1.02.20 (build 286)No fix yet
SW: 1.02.15 (build 286), WebLib1.02.15 (build 286)No fix yet
SW: 1.02.01 (build 229), WebLib1.02.01 (build 229)No fix yet
SW: 1.01.14 (build 172), WebLib1.01.14 (build 172)No fix yet
SW: 1.01.01 (build 2149), WebLib1.01.01 (build 2149)No fix yet
Remediation & Mitigation
0/6
Do now
0/4HARDENINGSegment the SCADA network from the corporate business network using firewalls and air-gapped architecture where possible
HARDENINGRestrict network access to ScadaFlex II controllers to only authorized engineering workstations and human-machine interfaces (HMIs) using firewall rules and network access control lists
HARDENINGDisable remote access to ScadaFlex II controllers from the Internet and external networks; if remote access is required, enforce it only through a VPN with strong authentication and encryption
HARDENINGChange all default credentials on ScadaFlex II controllers and use strong, unique passwords for administrative and engineering accounts
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGEnable all available logging and monitoring on ScadaFlex II controllers to detect suspicious file access or modification attempts
Long-term hardening
0/1HARDENINGEvaluate replacement of ScadaFlex II systems with supported SCADA platforms, given the vendor is closing and no patches will be provided
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2884f9fc-aea9-4eed-98ef-adf4171e8cb0