Festo LX Appliance

Monitor6.1ICS-CERT ICSA-25-343-02Aug 29, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The LX Appliance contains a Cross-Site-Scripting (XSS) vulnerability in the Video.js package. A user with Teacher-level privileges can craft a malicious course containing JavaScript code that will execute in the browsers of other users when they view the course. This allows the attacker to hijack user sessions, steal credentials, or perform unauthorized actions within the appliance. The vulnerability affects LX Appliance versions prior to June 2023.

What this means

What could happen

A Teacher-role user could craft a malicious course containing JavaScript code that executes in the browsers of other users viewing that course, potentially stealing session credentials or redirecting them to phishing sites. This could compromise access to training and educational content on the appliance.

Who's at risk

Training and education organizations using Festo LX Appliance for industrial control system training or operator qualification. Affects primarily educational institutions, training centers, and utilities that use LX Appliance for skill development in engineering and operations roles.

How it could be exploited

An attacker with Teacher credentials logs into LX Appliance, creates a course with embedded malicious JavaScript in the course content, and publishes it. When other users (students or instructors) view the course in their browsers, the JavaScript executes in their session context, allowing the attacker to steal cookies, capture input, or perform actions on their behalf.

Prerequisites

Valid Teacher-role account on the LX Appliance
Ability to create or edit courses in LX Appliance
Target users must view the malicious course in a web browser

Low exploitation complexityRequires valid privileged credentials (Teacher role)Medium CVSS score (6.1)No patch currently available for older versions

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

LX Appliance <June2023<June2023June 2023 or later

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict Teacher role assignment to trusted personnel only and regularly audit Teacher account permissions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Festo Didactic services at services.didactic@festo.com to upgrade LX Appliance to June 2023 release or later

Long-term hardening

0/1

HARDENINGIsolate LX Appliance from business network and Internet; only allow access from dedicated training network with strict firewall rules

CVEs (1)

CVE-2021-23414

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/74bcefa5-9684-4c12-a2c0-a48873265450