CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities Expose mySCADA myPRO Systems to Remote Hacking

Critical vulnerabilities patched by mySCADA in its myPRO HMI/SCADA product can allow remote and unauthenticated takeover of the system.

The myPRO product of Czech industrial automation company mySCADA is affected by several critical vulnerabilities, including ones that can allow a remote, unauthenticated attacker to take complete control of the targeted system. 

myPRO is a human-machine interface (HMI) and supervisory control and data acquisition (SCADA) system designed for visualizing and controlling industrial processes. The product can run on Windows, macOS and Linux, including servers, PCs and embedded devices.

Cybersecurity researcher Michael Heinzl, who has found many industrial control system (ICS) vulnerabilities over the past years, discovered that myPRO’s Manager and Runtime components are impacted by five types of flaws.

According to the cybersecurity agency CISA, which coordinated the responsible disclosure of the vulnerabilities, and Heinzl, who published his own advisories, the security holes include OS command injection, improper and missing authentication, and path traversal issues.

Heinzl reported his findings to the vendor through CISA in July and August 2024. mySCADA patched the vulnerabilities with the release of myPRO Manager 1.3 and myPRO Runtime 9.2.1.

Four of the five vulnerabilities have been assigned a ‘critical’ severity rating and one has been classified as ‘high severity’. 

The flaws can allow a remote, unauthenticated attacker to achieve arbitrary OS command execution with elevated privileges, and gain unauthorized access to the system and files. 

Heinzl told SecurityWeek that successful exploitation of the vulnerabilities could allow a remote, unauthenticated attacker to gain admin control and completely compromise the affected product, as well as the underlying system.

The internet search engine Censys does appear to show several dozen internet-exposed mySCADA HMIs, but it’s unclear if and how many are vulnerable to attacks involving the recently patched vulnerabilities.

Advertisement. Scroll to continue reading.

The researcher noted that exposure to attacks depends on the configuration of the system. By default, the vulnerable service is listening on all network interfaces after installation. 

CISA noted in its advisory that it’s not aware of any attacks exploiting these vulnerabilities. 

Heinzl previously found critical vulnerabilities in mySCADA myPRO back in 2021.

Related: ICS Security: 145,000 Systems Exposed to Web, Many Industrial Firms Hit by Attacks

Related: 300 Drinking Water Systems in US Exposed to Disruptive, Damaging Hacker Attacks

Related: ICS Patch Tuesday: Security Advisories Released by CISA, Schneider, Siemens, Rockwell

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.