Unpatched Vulnerabilities Expose Novakon HMIs to Remote Hacking

Some of the industrial control system (ICS) products made by Taiwan-based Novakon are affected by serious vulnerabilities, and the vendor does not appear to have released any patches. 

A subsidiary of iBASE Technology, Novakon designs and manufactures human-machine interfaces (HMIs), industrial PCs, and IIoT solutions. The company serves 18 countries across North America, Europe and Asia. Marketing materials show that 40,000 units of Novakon’s 7” HMIs have been deployed in global data centers. 

Researchers at CyberDanube, an IT/OT penetration testing and security consulting company, discovered that Novakon’s HMIs are affected by five types of vulnerabilities.

According to an advisory published by CyberDanube, the HMIs are affected by an unauthenticated buffer overflow allowing remote code execution with root privileges, a directory traversal that exposes files, and a couple of weak authentication issues that allow access to the device and applications.

The security firm’s researchers also discovered missing protection mechanisms and unnecessarily high permissions for certain processes. 

Sebastian Dietz, security researcher at CyberDanube, told SecurityWeek that the vulnerabilities can be exploited remotely without authentication.

“An unauthenticated attacker could leverage these vulnerabilities to execute high privilege code on these devices,” Dietz explained. “As HMI devices are used to interact with machines and systems (eg, PLCs, production lines) in critical infrastructure, gaining arbitrary code execution could have severe consequences.”

Dietz noted that it’s difficult to determine how many devices may be vulnerable to attacks, “as they are normally deployed in critical infrastructure and (hopefully) not directly exposed via the internet”.

CyberDanube said Novakon has been sent a report describing its findings, but the vendor did not provide any feedback and ignored a vast majority of its communication attempts. 

Novakon has not responded to SecurityWeek’s request for comment.

Learn More at SecurityWeek’s ICS Cybersecurity Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 27-30, 2025 | Atlanta www.icscybersecurityconference.com

Related: DELMIA Factory Software Vulnerability Exploited in Attacks

Related: ICS Patch Tuesday: Rockwell Automation Leads With 8 Security Advisories

Related: Critical Flaws Patched in Rockwell FactoryTalk, Micro800, ControlLogix Products