Weintek cMT3000 HMI Web CGI

Act Now9.8ICS-CERT ICSA-23-285-12Oct 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Weintek cMT3000 series HMI devices contain stack-based buffer overflow (CWE-121) and command injection (CWE-78) vulnerabilities in the web CGI interface. Successful exploitation could allow an attacker to hijack control flow, bypass login authentication, or execute arbitrary commands on the device.

What this means

What could happen

An attacker could bypass authentication to the HMI interface or execute arbitrary commands on the device, potentially altering process control setpoints, stopping operations, or modifying the visual display presented to plant operators.

Who's at risk

Manufacturing facilities using Weintek cMT3000 series HMI touchscreen panels for process monitoring and control. This affects any plant or system that relies on these HMI devices for operator interface to PLCs, motors, valves, or other process equipment.

How it could be exploited

An attacker on the network can send a malicious HTTP request to the web CGI interface without needing valid credentials. The buffer overflow or command injection flaw allows command execution or authentication bypass, giving the attacker control over HMI operations and visibility into the monitored/controlled process.

Prerequisites

Network access to the HMI web interface (HTTP port, typically 80 or 443)
No valid credentials required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Affects HMI interface (operator visibility and control)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

cMT-FHD: <=20210210≤ 2021021020210211

cMT-HDM: <=20210204≤ 2021020420210205

cMT3071: <=20210218≤ 2021021820210219

cMT3072: <=20210218≤ 2021021820210219

cMT3103: <=20210218≤ 2021021820210219

cMT3151: <=20210218≤ 2021021820210219

cMT3090: <=20210218≤ 2021021820210219

Remediation & Mitigation

0/10

Do now

0/1

WORKAROUNDRestrict network access to HMI web interface using firewall rules; block inbound HTTP/HTTPS except from authorized engineering workstations

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate cMT-FHD to OS version 20210211 or later

HOTFIXUpdate cMT-HDM to OS version 20210205 or later

HOTFIXUpdate cMT3071 to OS version 20210219 or later

HOTFIXUpdate cMT3072 to OS version 20210219 or later

HOTFIXUpdate cMT3103 to OS version 20210219 or later

HOTFIXUpdate cMT3090 to OS version 20210219 or later

HOTFIXUpdate cMT3151 to OS version 20210219 or later

Long-term hardening

0/2

HARDENINGIsolate HMI devices from the business network and internet; place on a dedicated control system network

HARDENINGIf remote access to HMI is required, use a VPN with current security patches and multi-factor authentication

CVEs (3)

CVE-2023-38584 CVE-2023-40145 CVE-2023-43492

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close