Connect with us

Hi, what are you looking for?



Path Traversal Flaw Found in ICONICS WebHMI

A researcher has identified a serious path traversal vulnerability in a web-based human machine interface (HMI) product from industrial automation software developer ICONICS.

A researcher has identified a serious path traversal vulnerability in a web-based human machine interface (HMI) product from industrial automation software developer ICONICS.

ICONICS WebHMI allows managers, supervisors and operators to remotely access reports, graphics, historical trends and alarms from any web browser. The product has been used primarily in the United States and Europe in sectors such as energy, commercial facilities, healthcare, water, and food and agriculture.Vulnerability in ICONICS WebHMI

Maxim Rupp, a German researcher who specializes in ICS/SCADA security, discovered that the product is plagued by a directory traversal flaw (CVE-2016-2289) that allows a remote attacker to access configuration files storing password hashes and other information. The issue was reported to ICS-CERT on December 22, 2015, which in turn notified the vendor.

The vulnerability affects ICONICS WebHMI version 9 and earlier, and it has been assigned a CVSS score of 9.8, which puts it in the “high severity” category. Rupp told SecurityWeek that the information found in the exposed configuration files could in theory be used to gain access to other systems, but the expert believes it’s unlikely to happen.

For an attack to be successful, the attacker needs to be able to send a request to a vulnerable WebHMI product. ICONICS has not released patches for the vulnerability and instead advised users of vulnerable versions to avoid exposing the product directly to the Internet.

The company has also advised customers to upgrade the product to version 10 and apply the security features available in this newer release.

“ICS-CERT Advisory ICSA-16-091-01 pertains to ICONICS’ WebHMI product (Version 9 and earlier). The current version of WebHMI (Version 10) has been on the market since 2008 and is not affected by this potential vulnerability. ICONICS advises Version 9 customers who want to expose the product directly to the Internet to upgrade their existing product to Version 10 and apply the security features available in this newer release. ICONICS’ latest products include cloud connectivity with built-in advanced security and encryption features,” ICONICS told SecurityWeek.

“ICONICS recommends that customers using WebHMI Version 9 or earlier avoid exposing the product directly to the Internet, following the prescribed Mitigation steps listed on the ICS-CERT Web site. Any current project deployed via Version 9 or earlier should be protected behind a company firewall. ICONICS is currently working on a patch to address this vulnerability,” the company added.

Advertisement. Scroll to continue reading.

Over the past years, ICS-CERT has published several advisories for vulnerabilities in ICONICS products. Most of the advisories cover issues affecting GENESIS, the company’s suite of OPC, SNMP, BACnet and web-enabled HMI and SCADA applications.

Maxim Rupp has been credited for responsibly reporting vulnerabilities in many ICS/SCADA products, including XZERES wind turbines, Tollgrade’s LightHouse SMS power distribution monitoring product, Honeywell’s Tuxedo Touch automation controllers and Midas gas detectors, and Chiyu Technology fingerprint access controllers.

*Updated with statement from ICONICS

Related: Learn More at the ICS Cyber Security Conference

Related: Hackers Can Remotely Unlock Doors via Flaw in HID Controllers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.