Pro-face GP-Pro EX and Remote HMI
Plan Patch7.1SEVD-2025-014-02Jan 14, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
Multiple vulnerabilities in Pro-face GP-Pro EX and Remote HMI products expose unencrypted communications to man-in-the-middle attacks. GP-Pro EX is HMI screen editor and logic programming software used to configure and monitor industrial equipment. Remote HMI is a mobile app for remote monitoring on tablets and smartphones. Exploitation could allow an attacker on the network path to intercept or modify communications, leading to information disclosure, data integrity compromise, and operational failures.
What this means
What could happen
An attacker positioned between your engineering workstation and Pro-face devices could intercept or modify unencrypted communications, altering HMI configurations, setpoints, or process logic without detection. This could cause unintended equipment behavior or shutdown.
Who's at risk
Energy utilities and manufacturing facilities using Pro-face GP-Pro EX for HMI programming and configuration, and operators using Pro-face Remote HMI mobile apps to monitor equipment from tablets or smartphones. Any site where HMI engineering or remote monitoring traffic crosses untrusted network segments is at risk.
How it could be exploited
An attacker on the network path between an engineering workstation running GP-Pro EX and the target HMI device, or between a mobile device running Remote HMI and the monitored equipment, performs a man-in-the-middle (MITM) attack to intercept unencrypted traffic. The attacker can then read sensitive configuration data or inject malicious commands into the communication stream.
Prerequisites
- Network position on the path between the engineering workstation/mobile device and the Pro-face HMI or target equipment
- No encryption enforced on communications between GP-Pro EX and HMI devices
- No encryption enforced on communications between Remote HMI app and backend systems
Remotely exploitableMan-in-the-middle attack vectorCould result in loss of confidentiality and integrity of operational dataAffects HMI systems which control or monitor critical process logic
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Pro-face GP-Pro EX<5.00.1005.00.100
Pro-face Remote HMI<1.70.0001.70.000
Remediation & Mitigation
0/4
Do now
0/2HARDENINGImplement network segmentation to isolate HMI engineering workstations and mobile devices from untrusted networks; restrict communication to necessary IP addresses and ports only
WORKAROUNDUse VPN or encrypted tunnels (TLS/SSL) for all remote connections to Pro-face devices and systems, especially when accessing from mobile devices or across wide-area networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Pro-face GP-Pro EX
HOTFIXUpgrade Pro-face GP-Pro EX to version 5.00.100 or later
Pro-face Remote HMI
HOTFIXUpgrade Pro-face Remote HMI to version 1.70.000 or later (available through Apple App Store and Google Play Store)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3d3f3c2e-da6e-42c4-abe9-5edec2b9fb92