The myPRO product of Czech industrial automation company mySCADA is affected by several critical vulnerabilities, including ones that can allow a remote, unauthenticated attacker to take complete control of the targeted system.
myPRO is a human-machine interface (HMI) and supervisory control and data acquisition (SCADA) system designed for visualizing and controlling industrial processes. The product can run on Windows, macOS and Linux, including servers, PCs and embedded devices.
Cybersecurity researcher Michael Heinzl, who has found many industrial control system (ICS) vulnerabilities over the past years, discovered that myPRO’s Manager and Runtime components are impacted by five types of flaws.
According to the cybersecurity agency CISA, which coordinated the responsible disclosure of the vulnerabilities, and Heinzl, who published his own advisories, the security holes include OS command injection, improper and missing authentication, and path traversal issues.
Heinzl reported his findings to the vendor through CISA in July and August 2024. mySCADA patched the vulnerabilities with the release of myPRO Manager 1.3 and myPRO Runtime 9.2.1.
Four of the five vulnerabilities have been assigned a ‘critical’ severity rating and one has been classified as ‘high severity’.
The flaws can allow a remote, unauthenticated attacker to achieve arbitrary OS command execution with elevated privileges, and gain unauthorized access to the system and files.
Heinzl told SecurityWeek that successful exploitation of the vulnerabilities could allow a remote, unauthenticated attacker to gain admin control and completely compromise the affected product, as well as the underlying system.
The internet search engine Censys does appear to show several dozen internet-exposed mySCADA HMIs, but it’s unclear if and how many are vulnerable to attacks involving the recently patched vulnerabilities.
The researcher noted that exposure to attacks depends on the configuration of the system. By default, the vulnerable service is listening on all network interfaces after installation.
CISA noted in its advisory that it’s not aware of any attacks exploiting these vulnerabilities.
Heinzl previously found critical vulnerabilities in mySCADA myPRO back in 2021.
Related: ICS Security: 145,000 Systems Exposed to Web, Many Industrial Firms Hit by Attacks
Related: 300 Drinking Water Systems in US Exposed to Disruptive, Damaging Hacker Attacks
Related: ICS Patch Tuesday: Security Advisories Released by CISA, Schneider, Siemens, Rockwell
