mySCADA myPRO

Act Now9.9ICS-CERT ICSA-23-096-06Apr 10, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

mySCADA myPRO versions 8.26.0 and earlier contain an OS command injection vulnerability (CWE-78) that allows an authenticated user to execute arbitrary operating system commands. The vulnerability has a CVSS score of 9.9 with network attack vector, low complexity, and requires low privileges (authenticated user). Public exploits exist and the vulnerability is exploitable remotely.

What this means

What could happen

An attacker with a valid myPRO user account could execute arbitrary commands on the SCADA system computer, potentially allowing them to alter process setpoints, shut down critical operations, or modify system configurations without proper authorization or audit trail.

Who's at risk

Energy sector operators using mySCADA myPRO SCADA/supervisory software on versions 8.26.0 and earlier. This affects anyone relying on myPRO for industrial process monitoring and control, including electric utilities and generation facilities.

How it could be exploited

An authenticated user logs into myPRO with valid credentials and injects operating system commands through a vulnerable input parameter. These commands execute with the privileges of the myPRO application, allowing the attacker to manipulate industrial processes or compromise the underlying system.

Prerequisites

Valid myPRO user account credentials
Network access to myPRO application (port and protocol depend on deployment)
myPRO version 8.26.0 or earlier installed

remotely exploitableauthenticated attacker onlylow complexityhigh EPSS score (68.4%)public exploits availableaffects SCADA/control system

Exploitability

High exploit probability (EPSS 68.4%)

Affected products (1)

ProductAffected VersionsFix Status

myPRO:≤ 8.26.08.29.0 or higher

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict myPRO network access using firewall rules to permit only authorized workstations and isolate from Internet-facing networks

HARDENINGEnforce least-privilege access controls: ensure users have only the minimum myPRO permissions required for their role

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade mySCADA myPRO to version 8.29.0 or higher

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate SCADA systems and myPRO from business networks

HARDENINGIf remote access to myPRO is required, enforce use of VPN or other secure out-of-band connection methods and maintain current patches on VPN infrastructure

CVEs (5)

CVE-2023-28716 CVE-2023-28400 CVE-2023-28384 CVE-2023-29169 CVE-2023-29150

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c30c24e3-43b2-4a47-9120-48ba86fbc9c0