Westermo Lynx 206-F2G

Plan PatchCVSS 8ICS-CERT ICSA-24-023-04Jan 23, 2024

Westermo

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Westermo Lynx 206-F2G contains multiple web application vulnerabilities: cross-site scripting (XSS), code injection, cross-origin resource sharing (CORS) misconfiguration, and cross-site request forgery (CSRF). These flaws allow an authenticated attacker with network access to the web interface to inject and execute arbitrary code, steal sensitive information, or trigger unauthorized actions. The CSRF vulnerability was patched in a later WeOS4 version, but XSS, code injection, and CORS flaws will be addressed in future updates. Currently no patches are available for these flaws.

What this means

What could happen

An authenticated attacker with network access to the Lynx web interface could inject malicious code, execute arbitrary commands on the device, steal sensitive configuration data, or manipulate network traffic. This could result in unauthorized changes to network settings, traffic interception, or denial of service.

Who's at risk

Network operators and industrial facilities using Westermo Lynx 206-F2G industrial routers for remote network management and failover. This affects telecom, water utilities, power distribution, and manufacturing sites that rely on managed industrial Ethernet switches for critical site connectivity.

How it could be exploited

An attacker with valid credentials accesses the Lynx 206-F2G web interface over the network. The attacker exploits cross-site scripting (XSS), code injection, or cross-site request forgery (CSRF) flaws to inject malicious JavaScript or commands. If successful, the attacker can run arbitrary code in the device context, alter configuration, or intercept traffic.

Prerequisites

Network access to Lynx web interface (port 80/443)
Valid user credentials for web interface authentication
Victim user must click a malicious link or visit attacker-controlled page (for CSRF/XSS variants)

remotely exploitablerequires valid credentialsno patch available for most flawsaffects management/monitoring device

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Lynx Model: L206-F2G1L206-F2G1No fix yet

Lynx Firmware: 4.24.4.24.No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to the Lynx web interface to authorized engineering and management personnel only using firewall rules

HARDENINGDisable any unused services or features on the Lynx device to reduce attack surface

HARDENINGImplement strong authentication and regular password rotation for web interface accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor for and apply future firmware updates from Westermo when CSRF and code injection patches are released

Long-term hardening

0/1

HARDENINGPlace Lynx device behind a firewall and isolate from business network and Internet access

CVEs (8)

CVE-2023-40143 CVE-2023-45222 CVE-2023-45735 CVE-2023-45213 CVE-2023-42765 CVE-2023-40544 CVE-2023-38579 CVE-2023-45227

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9c593717-a7d6-4825-83f7-311b0e003b33

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.