Burk Technology ARC Solo

Plan PatchCVSS 9.8ICS-CERT ICSA-25-219-03Aug 7, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A missing authentication vulnerability (CWE-306) in Burk Technology ARC Solo devices allows an attacker on the network to gain unauthorized access without valid credentials. Successful exploitation could result in an attacker gaining administrative access to the device, locking out authorized users, or disrupting facility operations. Burk Technology has released a security update addressing this vulnerability in version v1.0.62 and later.

What this means

What could happen

An attacker could gain unauthorized access to an ARC Solo device and lock out legitimate users, disrupting facility operations, or modify critical control settings.

Who's at risk

Organizations operating Burk Technology ARC Solo devices used in facility monitoring, automation, and control. This includes water utilities, electric utilities, HVAC systems, and other building automation environments that rely on ARC Solo for system access and management.

How it could be exploited

An attacker on the network sends a crafted request to the ARC Solo device (which lacks proper authentication controls) to gain administrative access without valid credentials. Once authenticated, the attacker can lock out authorized users or modify operational parameters.

Prerequisites

Network access to the ARC Solo device on port used by the device (typically HTTP/HTTPS)
No authentication credentials required

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 9.8)affects device access and user management

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

ARC Solo: <v1.0.62<v1.0.62v1.0.62

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to ARC Solo devices to only authorized engineering workstations and control system networks using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ARC Solo devices to firmware version v1.0.62 or later

Long-term hardening

0/2

HARDENINGIsolate ARC Solo devices from the business network and internet; place them behind a firewall on a dedicated control system network

HARDENINGIf remote access to ARC Solo is required, enforce access through a VPN tunnel and ensure the VPN software is kept current

CVEs (1)

CVE-2025-5095

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/83dc0ea2-1c84-4f0b-a260-a0b9727109a0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.