Connect with us

Hi, what are you looking for?



High Severity Flaws Patched in Trihedral SCADA Software

An update released by Trihedral for its VTScada product patches several vulnerabilities, including high severity weaknesses that can be exploited even by less skilled hackers.

An update released by Trihedral for its VTScada product patches several vulnerabilities, including high severity weaknesses that can be exploited even by less skilled hackers.

VTScada, Trihedral’s flagship product, is a software suite designed for creating human-machine interfaces (HMI) for supervisory control and data acquisition (SCADA) systems. The product is used in various industries, mainly in North America and Europe.

Security researcher Karn Ganeshen discovered several vulnerabilities affecting VTScada versions prior to 11.2.26. The expert told SecurityWeek that a Shodan search showed a few systems running VTScada accessible from the Internet, but he believes there are more vulnerable instances that are exposed to attacks.

One of the flaws, tracked as CVE-2017-6043 and assigned a CVSS score of 7.5, is a denial-of-service (DoS) issue that exists due to the VTScada client’s failure to limit resource usage.

In an advisory published on his website, Ganeshen said an attacker with a non-privileged account can cause excessive CPU and RAM usage by submitting a large payload (up to roughly 80,000 characters) in the username field of the login window.

“Where a full-blown application (or multiple applications in production scenario) is deployed, i.e. with an operational/functional configuration, memory/CPU usage is notably higher than that of a test, blank application,” the expert said. “Repeatedly submitting such a large username input rapidly consumes available server memory resources leading to resource exhaustion. This forces a system reboot eventually.”

Another high severity flaw found by the researcher in VTScada is CVE-2017-6045, an information disclosure issue that exposes potentially sensitive configuration data to unauthenticated attackers.

Advertisement. Scroll to continue reading.

Ganeshen also informed Trihedral of several cross-site scripting (XSS) vulnerabilities that can be exploited to execute arbitrary JavaScript code in the targeted user’s browser. These security holes are considered medium severity and they are tracked as CVE-2017-6053.

The flaws have been addressed by Trihedral with the release of VTScada 11.2.26. The researcher has confirmed that the resource exhaustion vulnerability has been properly patched.

In a brief statement published on Wednesday on its website, Trihedral pointed out that the vulnerabilities only affect “systems with unsecured internet connections with VTScada internet access enabled.” The company has advised customers to secure their connection and update the product to the latest version.

Ganeshen told SecurityWeek that he submitted two other VTScada vulnerability reports, which should soon be published by ICS-CERT.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

Related: Trihedral Patches Flaws in SCADA Software

Related: Average Patching Time for SCADA Flaws Is 150 Days

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...