OTPulse
FeedAboutContact

APSystems Altenergy Power Control

Act Now9.8ICS-CERT ICSA-23-213-01Aug 1, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Altenergy Power Control Software C1.2.5 contains a command injection vulnerability (CWE-78) that allows remote code execution with CVSS 9.8 (critical). The vulnerability requires no authentication and can be exploited over the network with low complexity. APSystems has not responded to CISA requests for mitigation support and no vendor patch is available.

What this means
What could happen
An attacker could execute arbitrary commands on the Altenergy Power Control system, potentially altering generation setpoints, load shedding decisions, or disabling energy production controls, impacting power output and grid stability.
Who's at risk
Energy generation operators and utilities using APSystems Altenergy Power Control Software (C1.2.5) for solar or renewable energy management. Any organization with this software exposed to a network is at immediate risk of remote takeover of energy production controls.
How it could be exploited
An attacker with network access to the Altenergy Power Control Software can send a crafted request that exploits a command injection vulnerability (CWE-78) to execute arbitrary system commands on the control system with no authentication required.
Prerequisites
  • Network access to the Altenergy Power Control Software (port and service not specified in advisory)
  • No credentials required for exploitation
remotely exploitableno authentication requiredlow complexityhigh EPSS score (94.2%)no patch availableaffects critical energy infrastructure
Exploitability
High exploit probability (EPSS 94.2%)
Affected products (1)
ProductAffected VersionsFix Status
Altenergy Power Control Software: C1.2.5C1.2.5No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGImmediately move Altenergy Power Control Software systems behind a firewall and isolate them from both the internet and business network. Do not expose this system to external networks.
HARDENINGIf remote access is required for maintenance, implement a VPN with network segmentation so operators connect only to a dedicated bastion host or jump box, never directly to the control system.
WORKAROUNDContact APSystems support directly to determine if a vendor patch is available or if the product will be deprecated. Do not wait for CISA to provide a fix.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for suspicious access attempts and command execution on the Altenergy system. Document and report any suspected exploitation to CISA and APSystems.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8aa952e9-81c0-4c70-bdf9-37a0e654b651