The Rapid SCADA open source industrial automation platform is affected by several vulnerabilities that could allow hackers to gain access to sensitive industrial systems, but the flaws remain unpatched.
The US cybersecurity agency CISA published an advisory last week to inform industrial organizations about seven vulnerabilities discovered by Claroty researchers in Rapid SCADA.
Rapid SCADA is advertised as ideal for developing monitoring and control systems, particularly industrial automation and IIoT systems, energy accounting systems, and process control systems.
The product is affected by seven types of vulnerabilities that, according to CISA’s advisory, can be used to read sensitive files, remotely execute arbitrary code, gain access to sensitive systems through phishing attacks, escalate privileges, obtain administrator passwords, and access sensitive data about the application’s internal code.
One of the flaws has been classified as ‘critical’ and two as ‘high severity’, but developers have yet to release patches, despite being notified in early July 2023.
CISA and Claroty said their attempts to get in contact with Rapid SCADA developers have failed. The developers have also not responded to SecurityWeek’s request for comment.
Noam Moshe, vulnerability researcher at Claroty, told SecurityWeek that Rapid SCADA is implemented in many different fields in the modern operational technology (OT) ecosystem, being a good option for small and medium-size companies due to it being free and open source.
Moshe pointed out that some of the vulnerabilities can be exploited by an unauthenticated attacker for remote code execution and there are a few dozen Rapid SCADA instances that are directly accessible from the internet, leaving organizations vulnerable to attacks.
“The vulnerabilities we discovered enable attackers to achieve remote code execution on Rapid SCADA Servers, meaning attackers could fully control these servers,” the researcher explained. “After a successful exploit, the attackers could alter the behavior of services controlled by the Rapid SCADA server, move laterally inside the victim’s networks, etc.”