Schneider Electric Easy UPS Online Monitoring Software

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity  Vendor: Schneider Electric  Equipment: APC Easy UPS Online Monitoring Software, Schneider Electric Easy UPS Online Monitoring Software  Vulnerabilities: Missing Authentication for Critical Function, Improper Handling of Case Sensitivity  2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in remote code execution, escalation of privileges, or authentication bypass,…

Read More

Omron CS/CJ Series

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity  Vendor: Omron  Equipment: SYSMAC CS/CJ Series  Vulnerability: Missing Authentication for Critical Function  2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access sensitive information in the file system and memory.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Omron CS/CJ series, programmable…

Read More

INEA ME RTU

1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: INEA Equipment: ME RTU  Vulnerability: OS Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow remote code execution.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ME RTU, a remote terminal unit, are affected:  ME RTU: versions prior to 3.36 3.2 VULNERABILITY…

Read More

MAR-10435108-1.v1 ICONICSTEALER

Notification This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE–Disclosure is not limited. Sources…

Read More

Oracle Releases Security Updates

Oracle has released its Critical Patch Update Advisory, Solaris Third Party Bulletin, and Linux Bulletin for April 2023 to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Oracle’s Critical Patch Update Advisory, Solaris Third Party…

Read More

CISA Releases Two SBOM Documents

Today, CISA released two community-drafted documents around Software Bill of Materials (SBOM): Types of SBOM documents and Minimum Requirements for Vulnerability Exploitability eXchange (VEX).  The Types of SBOM document summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM. As software goes from…

Read More

Scada-LTS Third Party Component

1. EXECUTIVE SUMMARY CVSS v3 6.5 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available  Vendor: Scada-LTS  Equipment: Scada-LTS  Vulnerability: Cross-site Scripting  2. RISK EVALUATION Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Scada-LTS, an open-source HMI, are affected:  Scada-LTS Versions 2.7.4…

Read More

Abuse of the Service Location Protocol May Lead to DoS Attacks

The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor. Researchers from Bitsight and Curesec have discovered a way to abuse SLP—identified as CVE-2023-29552—to conduct high amplification factor…

Read More

CISA Releases Two Industrial Control Systems Advisories

CISA released two Industrial Control Systems (ICS) advisories on April 25, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.  ICSA-23-115-01 Keysight N8844A Data Analytics Web Service ICSA-23-115-02 Scada-LTS Third Party Component CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations….

Read More