PiiGAB M-Bus

Plan PatchCVSS 9.8ICS-CERT ICSA-23-187-01Jul 6, 2023

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PiiGAB M-Bus SoftwarePack 900S contains multiple critical vulnerabilities including command injection (CWE-94), weak password storage (CWE-798, CWE-256), insufficient authentication (CWE-307), Cross-Site Request Forgery (CWE-352), and weak cryptographic key management (CWE-523, CWE-916). These flaws allow remote attackers with no authentication to inject arbitrary commands, steal credentials, and trick users into executing malicious commands. The vulnerabilities are exploitable over the network with low attack complexity. PiiGAB has released updated software available through the gateway web UI and their website (Piigab.se or Piigab.com).

What this means

What could happen

An attacker could run arbitrary commands on the M-Bus gateway, steal user passwords, or trick operators into executing malicious commands, potentially disrupting meter data collection or allowing unauthorized access to the utility network.

Who's at risk

Water utilities, electric utilities, and gas distributors using PiiGAB M-Bus gateways (900S) for remote meter reading, data collection, or management. Any organization relying on M-Bus for operational visibility into consumption or demand data should prioritize patching.

How it could be exploited

An attacker on the network (or Internet, if the gateway is exposed) sends a crafted request to the M-Bus gateway exploiting command injection, weak password storage, or CSRF vulnerabilities. The gateway executes the attacker's commands without authentication or proper validation, giving the attacker control over gateway functions.

Prerequisites

Network access to the M-Bus gateway on the Internet or local network
No authentication required for some vulnerabilities
Gateway running vulnerable 900S software version

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects utility operationsmultiple vulnerability types (injection, weak authentication, CSRF, weak cryptography)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

M-Bus SoftwarePack: 900S900SNo fix yet

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGBlock remote access to the M-Bus gateway from the Internet and ensure it is only reachable from your internal OT network

HARDENINGPlace the M-Bus gateway behind a firewall and isolate it from business network segments

HARDENINGSet unique, strong passwords for all gateway user accounts and enforce the principle of least privilege for account permissions

WORKAROUNDIf remote access to the gateway is required, use a VPN and ensure the VPN client and server are updated to current versions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate M-Bus SoftwarePack 900S to the latest patched version available from the gateway web UI or download from Piigab.se/Piigab.com

CVEs (9)

CVE-2023-36859 CVE-2023-33868 CVE-2023-31277 CVE-2023-35987 CVE-2023-35765 CVE-2023-32652 CVE-2023-34995 CVE-2023-34433 CVE-2023-35120

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b009fb1c-4ea7-4d00-8de3-f747e0eb3cdf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.