ControlbyWeb Relay

Plan Patch7.5ICS-CERT ICSA-23-341-05Dec 7, 2023

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

ControlbyWeb X-301 and X-332 relay controllers contain a cross-site scripting (XSS) vulnerability in the web management interface. An authenticated attacker can inject malicious code that executes in the session of another authorized user, allowing them to run commands, modify settings, or manipulate relay outputs.

What this means

What could happen

An authenticated attacker could inject malicious code that executes in a user's browser session, potentially allowing them to modify relay settings, steal session data, or manipulate control commands issued through the web interface.

Who's at risk

Water authorities and municipal utilities using ControlbyWeb X-301 or X-332 relay controllers for remote I/O switching and monitoring. This affects any facility that relies on these devices for pump control, valve actuation, or alarm signaling through their web management interface.

How it could be exploited

An attacker with valid credentials accesses the web interface and injects malicious code (likely JavaScript) into input fields or parameters. When another authorized user visits the affected page, the injected code runs in their browser with their privileges, allowing the attacker to perform actions on the relay device as that user.

Prerequisites

Valid login credentials for the ControlbyWeb relay device
User interaction required (authenticated user must visit a page containing the injected payload)
Access to the relay's web management interface (network access to HTTP/HTTPS port, typically 80 or 443)

Remotely exploitable (requires network access to web interface)Requires authentication (reduces risk but does not eliminate it)Stored or reflected XSS can be exploited by a single compromised credentials or social engineeringUser interaction required (engineer or operator must visit the malicious page)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

X-301-I Firmware: 1.151.151.20

X-301-24I Firmware: 1.151.151.20

X-332-24I Firmware: 1.061.061.09

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the relay's web interface using firewall rules—allow only authorized engineering workstations and remove any internet-facing access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate X-301 series firmware to version 1.20 or later

HOTFIXUpdate X-332 series firmware to version 1.09 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate control system devices from business networks and the internet

HARDENINGFor remote access, use a VPN with strong authentication and keep VPN software updated to the latest version

CVEs (1)

CVE-2023-6333

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e7c34055-aa66-46d5-aec2-a788d8d3544d