WellinTech KingHistorian

Act NowCVSS 8.1ICS-CERT ICSA-23-199-07Jul 18, 2023

WellinTech

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

WellinTech KingHistorian contains input validation and buffer overflow vulnerabilities (CWE-195, CWE-200) that allow an attacker with network access to disclose sensitive historian data or inject malicious data leading to buffer overflow. The vulnerabilities affect KingHistorian version 35.01.00.05 and earlier. A historian is a critical component in SCADA systems that stores time-series operational data (temperatures, pressures, flow rates, alarms) needed by operators to understand system state and troubleshoot problems.

What this means

What could happen

An attacker could disclose sensitive information from the KingHistorian historian database or inject malicious data that triggers a buffer overflow, potentially causing the historian service to crash or execute arbitrary code on the system.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using WellinTech KingHistorian for SCADA data logging and historical trend analysis. Any organization relying on KingHistorian to store and retrieve operational process data, alarms, and setpoint history.

How it could be exploited

An attacker with network access to the KingHistorian service sends a specially crafted request containing oversized or malformed data. The application fails to properly validate input length (CWE-195), allowing the attacker to overflow a buffer (CWE-200) and either extract sensitive data or, in the case of the buffer overflow, potentially execute code on the historian server.

Prerequisites

Network access to KingHistorian service port (typically 8080 or custom port)
KingHistorian version 35.01.00.05 or earlier
No credentials required for initial exploitation

Remotely exploitableNo authentication requiredHigh EPSS score (18%)No patch available for version 35.01.00.05Affects historian/data logging systems critical to operator situational awareness

Exploitability

Likely to be exploited — EPSS score 16.8%

Affected products (1)

ProductAffected VersionsFix Status

KingHistorian: 35.01.00.0535.01.00.053.52

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate KingHistorian historian server behind a firewall and restrict network access to authorized engineering workstations and SCADA servers only

HARDENINGEnsure KingHistorian is not directly accessible from the Internet or business networks; use network segmentation to isolate the historian from non-critical systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade KingHistorian to version 3.52 or later

WORKAROUNDIf remote access to KingHistorian is required, implement a VPN with encryption and access controls, and keep VPN software updated to the latest version

CVEs (2)

CVE-2022-45124 CVE-2022-43663

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/305b6ac8-89bd-482b-8cf3-d08d9a82d82b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.