HMS Networks EWON FLEXY 202

Plan PatchCVSS 8.2ICS-CERT ICSA-24-291-04Oct 17, 2024

HMS Networks

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The HMS Networks EWON FLEXY 202 industrial gateway uses weak encoding techniques to transmit credentials. An attacker who can observe network traffic can sniff and decode these credentials, gaining access to the device and potentially the plant network beyond it.

What this means

What could happen

An attacker who intercepts network traffic between a workstation and the FLEXY 202 gateway can capture and decode stored credentials, allowing unauthorized access to configure the gateway, redirect data flows, or pivot into the industrial network.

Who's at risk

Water authorities and utilities using HMS Networks EWON FLEXY 202 industrial gateways for remote access, data logging, or network connectivity should assess their deployment. The FLEXY 202 is commonly used as a bridge between isolated OT networks and corporate IT systems, making credential compromise a direct pivot risk into control networks.

How it could be exploited

An attacker positioned to passively observe network traffic between an engineering workstation and the FLEXY 202 (e.g., on the same network segment or via a compromised switch port) captures traffic containing credentials encoded with weak mechanisms. The attacker decodes these credentials and uses them to authenticate to the FLEXY 202's management interface, gaining control of the gateway.

Prerequisites

Network access to observe traffic between management workstation and FLEXY 202
Presence of weak credential encoding in active traffic (credentials must be transmitted during the observation window)
Access to decoding tools or knowledge of the weak encoding scheme

remotely exploitableno authentication required for traffic sniffinglow complexityweak credential encodinggateway position enables pivot to OT networks

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

EWON FLEXY 202: Firmware__14.2s0Firmware 14.2s014.9s2

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the FLEXY 202 management interface (port 80/443) to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EWON FLEXY 202 firmware to version 14.9s2 or later

HARDENINGRequire VPN for all remote management connections to the FLEXY 202

Long-term hardening

0/1

HARDENINGSegment the FLEXY 202 onto a dedicated management network separate from operational plant networks

CVEs (1)

CVE-2024-7755

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dfce53e8-f2d8-4bfb-aa67-e748428c133e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.