Weintek Weincloud

Plan Patch7.5ICS-CERT ICSA-23-199-04Jul 18, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Weintek Account API contains multiple authentication and token handling vulnerabilities (CWE-640, CWE-522, CWE-307, CWE-237). These flaws allow attackers to reset account passwords using compromised JWT tokens, reuse expired credentials, perform brute force attacks on passwords, or cause denial-of-service conditions against account management services. The vulnerabilities affect Account API versions 0.13.6 and earlier.

What this means

What could happen

An attacker with network access could reset user passwords, bypass authentication controls, or crash the account management service, preventing legitimate operators from accessing HMI systems or cloud-based dashboards during critical plant operations.

Who's at risk

Water utilities, municipal electric systems, and industrial facilities using Weintek HMI products with EasyAccess 2.0 cloud services or Dashboard services. Operators and engineers who rely on remote access or cloud-based monitoring and control of PLCs, RTUs, and process equipment are at risk if they cannot authenticate due to account lockout or if an attacker gains password reset capability.

How it could be exploited

An attacker on the network sends specially crafted requests to the Account API to manipulate JWT tokens, reuse expired tokens, or trigger brute force password resets. No authentication is required. The attack requires only network reachability to the API endpoint (typically over HTTP/HTTPS).

Prerequisites

Network access to the Account API endpoint
The HMI or cloud service is configured to use the vulnerable Account API version 0.13.6 or earlier
If using EasyAccess 2.0 or cloud Dashboard, network reachability to those services

Remotely exploitableNo authentication requiredLow complexity attackAffects account management (gateway to operational control)Default or weak passwords may increase brute force risk

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Account API: <=0.13.6≤ 0.13.60.13.8

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDIf online services (EasyAccess 2.0 or Dashboard) are not required for operations, set HMIs to offline mode to reduce exposure

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Weintek Account API to version 0.13.8 or later

Long-term hardening

0/4

HARDENINGImplement network segmentation to restrict access to Account API and HMI systems; place them behind a firewall and isolate from business network

HARDENINGEnforce a policy requiring operators to log in only on trusted computers and log out immediately after use on untrusted devices

HARDENINGImplement a mandatory password change schedule and user education on strong password practices to reduce brute force risk

HARDENINGIf remote access to HMI or Account API is necessary, require VPN with the most current version and apply all security patches

CVEs (4)

CVE-2023-35134 CVE-2023-37362 CVE-2023-32657 CVE-2023-34429

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b3586406-c317-4115-a6a3-c1dde3cb0fa8