A serious vulnerability that allows an attacker to steal files from an affected system has been found by a researcher in a building automation product from Swiss-based Fr. Sauter AG. It took the vendor only 10 days to release a patch.
The impacted product, CASE Suite, is designed for handling building automation projects. ICS-CERT says the software is used worldwide, particularly in the critical manufacturing sector.
Gjoko Krstic, a researcher with industrial cybersecurity firm Applied Risk, found that CASE Suite versions 3.10 and prior are affected by a high severity XML external entity (XXE) vulnerability. According to an advisory published by Applied Risk on Friday, the flaw impacts the CASE Components, CASE Sensors and CASE VAV applications.
The security hole is tracked as CVE-2018-17912 and it has been assigned CVSS scores of 7.5 (ICS-CERT) and 8.6 (Applied Risk).
“The application suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack,” Applied Risk said in its advisory. “The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML data file.”
Learn More About Automation Security at SecurityWeek’s ICS Cyber Security Conference
Krstic told SecurityWeek that an attacker can exploit the vulnerability by getting the targeted user to open a specially crafted XML file using a vulnerable version of the CASE Suite software. For instance, the file can be sent via email, and it may not raise too much suspicion as the software includes functionality for saving and opening project or data files with this format.
In another attack scenario, if the attacker already has access to the system, they can place the malicious file anywhere (e.g., the Desktop folder) and it will be automatically loaded when the user browses to that location via the Sauter software. The researcher noted that the application automatically loads XML files found in folders browsed by the user – he described this as dangerous functionality.
Once the malicious XML file is loaded, it allows the attacker to steal any file from the compromised system, including configuration data, personal information, account credentials, and details about the system and the network housing it, Krstic said via email.
The vulnerability can also be exploited to cause the impacted software to enter a denial-of-service (DoS) condition.
It’s not uncommon for researchers to find vulnerabilities in building automation software. However, in this case it took Sauter only 10 days to release a patch after it was informed of the flaw by ICS-CERT on October 15. It often takes vendors hundreds of days to patch security holes in automation products.
Related: Internet Exposure, Flaws Put Industrial Safety Controllers at Risk of Attacks
Related: Power Grid Protection Firm SEL Patches Severe Software Flaws

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
- CISA, NSA Issue Guidance for IAM Administrators
