Deep Sea Electronics DSE855

Act Now6.5ICS-CERT ICSA-24-298-03Oct 24, 2024

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The DSE855 controller contains a missing authentication mechanism (CWE-306) that allows local network attackers to access stored credentials without authentication. Successful exploitation could allow an attacker to extract passwords used for engineering access or remote management, which could then be reused to gain unauthorized control of the device or related systems. This vulnerability is not remotely exploitable and requires network access on the same segment as the controller.

What this means

What could happen

An attacker with network access to a DSE855 controller could extract stored credentials (such as engineering access or remote management passwords), potentially allowing unauthorized access to the device or related systems.

Who's at risk

Operators of power generation and diesel fuel systems using Deep Sea Electronics DSE855 automatic changeover controllers should care about this issue. The DSE855 is commonly used in combined-source power systems, backup generator control, and utility switchgear applications where unauthorized access could disrupt switchover logic or enable sabotage of critical power infrastructure.

How it could be exploited

An attacker on the local network segment (not remote) could query the DSE855 controller to retrieve credentials stored in memory or configuration. Once obtained, these credentials could be used to access the device's engineering interface or connect to other networked systems.

Prerequisites

Network access to DSE855 on the local network segment (Ethernet or similar)
No authentication required to access the vulnerability
Physical or network proximity; cannot be exploited remotely

no authentication requiredlow complexityhigh EPSS score (74%)no patch available for deployed version 1.0.26affects critical power control logic

Exploitability

High exploit probability (EPSS 74.0%)

Affected products (1)

ProductAffected VersionsFix Status

DSE855: 1.0.261.0.261.2.0

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGIsolate DSE855 behind a firewall and restrict network access to authorized engineering workstations and control room networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DSE855 firmware to version 1.2.0 or later

Long-term hardening

0/2

HARDENINGSegment the controller network from business networks to limit lateral movement if credentials are compromised

HARDENINGIf remote access to the DSE855 is required, use a VPN with current security patches and restrict VPN access to named users with a need to access

CVEs (1)

CVE-2024-5947

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d249dce6-e98d-42c6-8e07-52d331d33baf