A security researcher has discovered several vulnerabilities, including ones rated critical- and high-severity, in industrial products made by Elcomplus, a Russian company specializing in professional radio communications and industrial automation.
Researcher Michael Heinzl discovered a total of nine vulnerabilities in Elcomplus’ SmartPTT SCADA product, which combines the capabilities of SCADA/IIoT systems with dispatch software for professional radio systems.
In addition, it appears that products made by SmartICS, an Elcomplus unit that specializes in SCADA and industrial IoT visualization platforms, are also affected by some of the vulnerabilities, as they share code.
The affected products are used by more than 2,000 organizations across 90 countries, including in the United States, which is why the US Cybersecurity and Infrastructure Security Agency (CISA) this week published two advisories to inform organizations about these vulnerabilities. Heinzl has also made public individual advisories for each flaw.
Learn more about vulnerabilities in industrial products at
SecurityWeek’s ICS Cyber Security Conference
The list of security holes includes path traversal, cross-site scripting (XSS), arbitrary file upload, authorization bypass, cross-site request forgery (CSRF), and information disclosure issues.
Exploitation of these vulnerabilities can allow an attacker to upload files, read or write arbitrary files on the system, obtain credentials stored in clear text, carry out various actions on behalf of a user, execute arbitrary code, and elevate privileges to access admin functionality.
In some cases, exploitation requires authentication or user interaction (e.g. clicking on a link or accessing certain pages).
The researcher reported the vulnerabilities to the vendor through CISA in April 2021. While the vendor has not been very responsive, it appears that it did release patches by the end of 2021.
These are not the only ICS vulnerabilities identified by Heinzl. In the past year, the researcher disclosed flaws found in the CX-Programmer PLC programming software of Japanese electronics giant Omron, Fuji Electric’s Tellus factory monitoring and operating product, Delta Electronics’ DIAEnergie industrial energy management system, and the myPRO HMI/SCADA product of Czech industrial automation company mySCADA.
Related: Russia-Linked Pipedream/Incontroller ICS Malware Designed to Target Energy Facilities
Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities
Related: Critical Vulnerabilities Found in Sealevel Device Used in ICS Environments