Iagona ScrutisWeb

Plan PatchCVSS 10ICS-CERT ICSA-23-199-03Jul 18, 2023

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Iagona ScrutisWeb versions 2.1.37 and earlier contain vulnerabilities in file upload handling (CWE-434), path traversal (CWE-36), missing cryptographic protections (CWE-321), and improper access control (CWE-639). These weaknesses allow an unauthenticated attacker on the network to upload and execute arbitrary files on the ScrutisWeb server, leading to complete system compromise and potential control of connected industrial processes. The CVSS v3.0 score is 10.0 (critical) with a network attack vector, no authentication required, and no user interaction needed.

What this means

What could happen

An attacker could upload and execute arbitrary files on the ScrutisWeb application, potentially gaining full control of the system and the processes it manages. This could allow an attacker to modify process parameters, stop operations, or exfiltrate sensitive control logic.

Who's at risk

This affects organizations running Iagona ScrutisWeb for SCADA monitoring and control, particularly those in utilities, water treatment, manufacturing, and chemical processing. Anyone using ScrutisWeb version 2.1.37 or earlier should prioritize remediation, especially if the application is accessible over the internet or from untrusted networks.

How it could be exploited

An attacker on the network or internet sends a specially crafted file upload request to ScrutisWeb without authentication, causing the application to accept and execute malicious code. Once executed, the attacker has the same permissions as the web application process, allowing direct manipulation of connected industrial systems.

Prerequisites

Network access to the ScrutisWeb application
ScrutisWeb version 2.1.37 or earlier
Application must be reachable from the attacker's network (internet-facing increases risk)

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (10.0)Arbitrary code executionAffects control system visibility and operation

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (1)

ProductAffected VersionsFix Status

ScrutisWeb: <= 2.1.37≤ 2.1.372.1.38

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to ScrutisWeb to only authorized engineering workstations using firewall rules; block inbound internet access to the application

HARDENINGPlace ScrutisWeb behind a VPN if remote access is required; do not expose it directly to the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Iagona ScrutisWeb to version 2.1.38 or later

Long-term hardening

0/1

HARDENINGIsolate the network containing ScrutisWeb from business networks using a DMZ or air-gap

CVEs (4)

CVE-2023-33871 CVE-2023-38257 CVE-2023-35763 CVE-2023-35189

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fde24372-07c4-42cd-8377-4eea0ef20b54

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.