INEA ME RTU

Act Now9.9ICS-CERT ICSA-23-304-02Oct 31, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

INEA ME RTU firmware versions 3.36b and earlier contain command injection and missing authentication vulnerabilities (CWE-78, CWE-306) that allow remote code execution. An attacker with low-privilege access to the device can execute arbitrary commands with elevated privileges, potentially affecting industrial control operations.

What this means

What could happen

An attacker could execute arbitrary commands on the ME RTU, potentially modifying device configurations, halting data acquisition, or disrupting control logic in systems that rely on this remote terminal unit for SCADA data relay and control.

Who's at risk

Water and electric utilities operating INEA ME RTU devices for SCADA telemetry and remote terminal operations should prioritize this vulnerability. Any environment using ME RTU as a remote data acquisition or control interface is at risk.

How it could be exploited

An attacker with network access and valid low-privilege credentials can send a crafted command to the ME RTU that exploits the command injection vulnerability to bypass authentication checks and execute system commands with elevated privileges.

Prerequisites

Network access to the ME RTU device
Valid low-privilege user credentials or ability to authenticate to the device

remotely exploitablelow complexityauthentication required but easily bypassedhigh CVSS score (9.9)medium EPSS score (0.4%)no publicly known active exploitation

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

ME RTU: <=3.36b≤ 3.36b3.37

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to the ME RTU device—do not expose it to the internet and place it behind a firewall

HARDENINGIsolate the ME RTU and its network segment from business networks

WORKAROUNDUse VPN for any required remote access to the device, and keep VPN software up to date

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ME RTU firmware to version 3.37 or later

CVEs (2)

CVE-2023-35762 CVE-2023-29155

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16ad4960-dbae-4e7f-bf17-b4bd444a823f