Delta Electronics InfraSuite Device Master

Act Now9.8ICS-CERT ICSA-23-331-01Nov 28, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Delta Electronics InfraSuite Device Master versions 1.0.7 and earlier contain multiple vulnerabilities (CWE-35, CWE-502, CWE-749, CWE-22) that allow remote arbitrary code execution and plaintext credential disclosure. The vulnerabilities are remotely exploitable with no authentication required.

What this means

What could happen

An attacker could remotely execute arbitrary commands on the Device Master, potentially altering process configurations, stealing plaintext credentials for connected control systems, or disrupting device management operations across your infrastructure.

Who's at risk

This affects organizations using Delta Electronics InfraSuite Device Master for centralized device management in industrial environments, including water utilities, electric utilities, and manufacturing facilities. Anyone relying on Device Master to manage remote PLCs, gateways, or SCADA components should prioritize this vulnerability.

How it could be exploited

An attacker on the network can send a crafted request to the Device Master without authentication to trigger code execution or credential theft. If the Device Master is reachable from the internet or an untrusted network, exploitation can occur from outside your organization.

Prerequisites

Network access to the Device Master (typically port 80/443 for web interface)
No credentials required
Device running InfraSuite Device Master version 1.0.7 or earlier

remotely exploitableno authentication requiredlow complexityarbitrary code executionplaintext credential exposurecritical severity (CVSS 9.8)

Exploitability

Moderate exploit probability (EPSS 2.1%)

Affected products (1)

ProductAffected VersionsFix Status

InfraSuite Device Master: <=1.0.7≤ 1.0.71.0.10

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the Device Master from the internet; place it behind a firewall with access only from trusted engineering networks

HARDENINGIf remote access is required, use a VPN to tunnel connections rather than exposing the Device Master directly to untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Delta Electronics InfraSuite Device Master to version 1.0.10 or later

Long-term hardening

0/1

HARDENINGIsolate the Device Master and its connected control systems on a separate network segment from business IT systems

CVEs (4)

CVE-2023-46690 CVE-2023-47207 CVE-2023-39226 CVE-2023-47279

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f8f005cd-fccc-424c-8170-1fef42537923