Critical Vulnerabilities in mySCADA myPRO Software Pose Significant Risk to Industrial Control Systems

Researchers have disclosed critical vulnerabilities in mySCADA’s myPRO software, a widely deployed industrial automation platform. These security flaws could permit remote attackers to gain unauthorized access and complete control over critical infrastructure without authentication.

myPRO is a prominent Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) system utilized across various industrial sectors for the visualization and management of operational processes. Its broad compatibility with Windows, macOS, and Linux operating systems, encompassing servers, PCs, and embedded devices, amplifies the potential impact of these vulnerabilities.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory detailing the vulnerabilities, which include:

• CVE-2024-47407 (CVSSv4 10): OS command injection vulnerability within myPRO Manager due to improper input validation.
• CVE-2024-52034 (CVSSv4 10): A second OS command injection vulnerability in myPRO Manager.
• CVE-2024-45369 (CVSSv4 9.2): Weak authentication mechanism in the web application.
• CVE-2024-47138 (CVSSv4 9.3): Administrative interface listens on all interfaces without authentication by default.
• CVE-2024-50054 (CVSSv4 8.7): Path traversal vulnerability enabling arbitrary file retrieval.

Successful exploitation of these vulnerabilities could grant unauthorized remote access, potentially leading to the complete compromise of both the myPRO software and the underlying operating system. The agency highlights the increased risk posed by the default configuration of the vulnerable service, which is accessible on all network interfaces immediately following installation.

mySCADA has released updated versions of the affected software components (myPRO Manager version 1.3 and myPRO Runtime version 9.2.1) to remediate these vulnerabilities. However, the extent of potential exploitation remains unknown. Censys search engine data indicates that a significant number of mySCADA instances are internet-facing, raising concerns about the security posture of these deployments.

Organizations utilizing mySCADA myPRO are strongly advised to implement the necessary security updates without delay and conduct thorough security assessments to mitigate the risk of compromise.

Related Posts:

• Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
• Positive Technologies: “73 percent of industrial organizations’ networks are vulnerable to hackers”
• Hacker can use Smartphone Apps to control industrial processes
• CISA Warns Critical Vulnerabilities in Vonets WiFi Bridge Devices, No Patch Available
• ServiceNow Security Alert: Critical Vulnerabilities Expose Businesses to RCE and Data Breaches