DEXMA DexGate

Plan Patch8ICS-CERT ICSA-23-271-02Sep 26, 2023

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

DexGate 20130114 contains multiple vulnerabilities including cross-site scripting (CWE-79), cross-site request forgery (CWE-352), and weak authentication (CWE-287) that could allow an attacker to impersonate a user, execute arbitrary code, and access the connected network. The device transmits data without encryption (CWE-319) and may disclose sensitive information (CWE-200). DEXMA has not responded to coordination requests and no patch is available for this end-of-life product.

What this means

What could happen

An attacker could impersonate legitimate users, execute arbitrary code on the DexGate device, and gain access to the connected energy management network, potentially allowing them to alter energy consumption data or disrupt monitoring and control of building systems.

Who's at risk

Organizations that rely on DEXMA DexGate for energy management and building system monitoring, including facilities managers in commercial buildings, data centers, industrial plants, and municipal utilities that use DexGate for remote energy consumption monitoring and control.

How it could be exploited

An attacker on the same local network (or with access to the DexGate web interface) could exploit cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws combined with weak authentication to impersonate an administrative user. Once authenticated, the attacker could upload and execute arbitrary code, gaining command-level control of the gateway device and the systems it monitors.

Prerequisites

Network access to the DexGate web interface (port 80/443 or via remote access)
User interaction to click a malicious link or visit a crafted page (for XSS/CSRF exploitation)
No valid credentials required for initial exploitation, but code execution may require authenticated access

remotely exploitable via web interfacelow complexity attackno patch available (end-of-life product)affects monitoring and control systemsvendor unresponsive to disclosure

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

DEXGate: 2013011420130114No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate DexGate from the Internet and locate it behind a firewall, ensuring it is not directly accessible from the business network or external connections

HARDENINGIf remote access to DexGate is required, implement a Virtual Private Network (VPN) with network segmentation to restrict access from the business network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMinimize network exposure by restricting which systems and users can reach DexGate; disable unnecessary remote access features

Mitigations - no patch available

0/2

DEXGate: 20130114 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor for suspicious activity and follow incident response procedures if unauthorized access is suspected; report findings to CISA

HARDENINGTrain users not to click unsolicited web links or open attachments in email that could deliver phishing payloads targeting DexGate access

CVEs (5)

CVE-2023-40153 CVE-2023-42435 CVE-2023-4108 CVE-2023-41088 CVE-2023-42666

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/82f4349d-a734-4bbe-a596-9219c4296820