Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Trihedral Fixes Vulnerability in SCADA Monitoring and Control Software

Canada-based Trihedral Engineering Ltd. has released software updates to address a security vulnerability that can be leveraged to cause VTScada servers to crash.

Canada-based Trihedral Engineering Ltd. has released software updates to address a security vulnerability that can be leveraged to cause VTScada servers to crash.

VTScada (VTS) is a control and monitoring application for supervisory control and data acquisition (SCADA) systems. The product is used in industries such as chemical, energy, communications, critical manufacturing, transportation, and food and agriculture mainly in North America and Europe.

According to an advisory published on Tuesday by the Industrial Control Systems Computer Emergency Response Team (ICS-CERT), the software is plagued by a remotely exploitable integer overflow vulnerability.

“An attacker can cause VTScada to crash on an Internet server if a specifically crafted malformed network request is made to VTScada, even if that attacker does not have security credentials on the server. The malformed network request causes an integer overflow resulting in the attempted allocation of an excessively large buffer. The failure to allocate this buffer will terminate the VTScada server. The crash would not occur accidentally as a result of normal use,” ICS-CERT said.

The vulnerability, CVE-2014-9192, was discovered by an anonymous researcher who reported it through HP’s Zero Day Initiative (ZDI). The flaw affects VTScada versions 6.5 through 9.1.19, versions 10 through 10.2.21, and versions 11.0 through 11.1.07.

The vendor addressed the bug with the release of versions 11.1.09, 10.2.22 and 09.1.20. The updates are available on Trihedral’s FTP server. Exploits have not been spotted in the wild, but organizations are advised to update their installations since even a less skilled attacker can exploit the vulnerability.

ICS-CERT also advises organizations to minimize exposure for critical control systems by isolating them from the Internet and the business network, place sensitive systems behind firewalls, and use virtual private networks (VPNs) and other secure methods when remote access is required.

Advertisement. Scroll to continue reading.

Vulnerabilities in SCADA products are not uncommon. In September, three security holes were uncovered in Schneider Electric solutions, and last month, Siemens fixed critical flaws that exposed SCADA systems to remote attacks.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...