EFACEC BCU 500
Act Now9.6ICS-CERT ICSA-23-353-02Dec 19, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
EFACEC BCU 500 versions 4.07 and earlier contain a denial-of-service vulnerability (CWE-400) and a cross-site request forgery (CSRF) vulnerability (CWE-352) in the web application. Successful exploitation could allow an attacker to cause a denial-of-service condition or compromise the web application through CSRF attacks.
What this means
What could happen
An attacker with network access to the BCU 500 web interface could trigger a denial-of-service condition that halts the device's availability, or use CSRF to modify device configuration without authorization, potentially disrupting power factor correction operations.
Who's at risk
EFACEC BCU 500 (Battery Charge Unit / power factor correction controllers) in electrical utilities and industrial facilities that rely on power quality correction and battery management systems.
How it could be exploited
An attacker with web access to the BCU 500 (port 80/443) could send a specially crafted request to trigger the denial-of-service condition, or trick an authenticated user into visiting a malicious webpage that crafts a CSRF request to alter device settings or disable functionality.
Prerequisites
- Network access to BCU 500 web interface (HTTP/HTTPS)
- For CSRF: authenticated user must visit attacker-controlled webpage
remotely exploitablelow complexityno authentication required for denial-of-servicecritical CVSS score (9.6)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
BCU 500: 4.074.074.08
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to the BCU 500 web interface using firewall rules; allow only authorized engineering workstations
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade BCU 500 to version 4.08 or later
Long-term hardening
0/2HARDENINGIsolate BCU 500 and all control system devices from business networks and the internet using network segmentation and firewalls
HARDENINGUse VPN for any required remote access to BCU 500, and keep VPN software updated to the latest version
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ac36088b-5e19-4d9d-810c-42fba1263860