SDG PnPSCADA

Act Now9.8ICS-CERT ICSA-23-131-12May 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A SQL injection vulnerability in PnPSCADA v2.x allows an attacker to interact with and retrieve critical data from the underlying database. The vulnerability can be exploited remotely without authentication. The affected versions are in the v2.* line (v2.x). SDG PnPSCADA is developing a fix; users should contact support@pnpscada.com for updates. Workarounds include using prepared statements, avoiding public exposure of SCADA systems, and implementing network segmentation to isolate systems from the internet.

What this means

What could happen

An attacker could execute SQL commands against the PnPSCADA database to retrieve critical operational data, potentially exposing process parameters, setpoints, and system configuration used to control energy infrastructure.

Who's at risk

Energy utilities and operators running PnPSCADA for supervisory control and data acquisition. This affects any organization using PnPSCADA v2.x to monitor or control generation, transmission, distribution, or other critical energy infrastructure.

How it could be exploited

An attacker with network access to the PnPSCADA application can inject SQL code through an input field to interact directly with the backend database. This does not require authentication or user interaction, allowing the attacker to bypass the application logic and extract sensitive data directly from the database.

Prerequisites

Network reachability to the PnPSCADA application interface (typically HTTP/HTTPS)
No authentication required

Remotely exploitableNo authentication requiredLow complexitySQL injection (CWE-89)No patch availableActively being exploited is unknown but vendor is developing fix

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

PnPSCADA (cross platforms): v2.*2.No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGReview application deployment and ensure PnPSCADA systems are not accessible from the public internet; implement network segmentation to isolate SCADA systems from untrusted networks

WORKAROUNDAudit all input fields in PnPSCADA for SQL injection vulnerabilities; deploy web application firewall (WAF) rules to block common SQL injection payloads as a temporary measure

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor database activity logs for suspicious queries or unauthorized access attempts

HOTFIXUpdate PnPSCADA to a patched version once the vendor releases a fix

CVEs (1)

CVE-2023-1934

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9c57933f-3000-44a2-b5d3-d7402a9d80e1