Philips Engage Software

Low Risk2.6ICS-CERT ICSMA-22-006-01Jan 6, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Philips Engage Software versions 6.2.1 and earlier contain an improper access control vulnerability (CWE-284) that allows authenticated users to view sensitive business contact information they should not be able to access. The vulnerability requires valid credentials, user interaction, and high attack complexity. No public exploits exist. Philips released patched version 6.2.2 in September 2021 and deployed it to all hosted instances; customers using Philips-hosted Engage are already protected.

What this means

What could happen

An attacker with login credentials could view sensitive business contact information in Philips Engage Software. This is a read-only disclosure with low severity, unlikely to directly disrupt plant operations but could compromise employee or customer contact data.

Who's at risk

Organizations using Philips Engage Software (a hosted business communications platform) should care about this vulnerability if they operate self-hosted instances of versions 6.2.1 or earlier. Philips-hosted Engage users are already protected. Risk is limited to unauthorized disclosure of internal contact information; no operational technology (SCADA, PLC, RTU) systems are directly affected by this web application vulnerability.

How it could be exploited

An attacker would need valid Engage user credentials and would need to trick a user into clicking a malicious link or performing a specific action via the UI. The vulnerability allows improper access to contact information through the web interface.

Prerequisites

Valid Engage Software user credentials
Network access to Engage application
User interaction required (social engineering or phishing)
High attack complexity - requires specific configuration or user action

Requires valid user credentialsRequires user interactionHigh attack complexityRead-only disclosure only (no data modification)No known active exploitation

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Engage Software:≤ 6.2.16.2.2

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGVerify your Engage deployment model (hosted vs. self-hosted) with Philips Service support

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Philips Engage Software to version 6.2.2 or later if you are operating a self-hosted instance

HOTFIXIf using Philips-hosted Engage, no action required—Philips deployed the fix in September 2021

Long-term hardening

0/2

HARDENINGRestrict network access to Engage Software to authorized users only; place behind firewall and VPN if remote access is required

HARDENINGReview and audit user access permissions in Engage to ensure only necessary roles can view contact information

CVEs (1)

CVE-2021-23173

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7627dfe2-4326-4896-9827-f538da67c2ec