CVE-2022-3388

Summary

An input validation vulnerability exists in the Monitor Pro interface of MicroSCADA Pro and MicroSCADA X SYS600. An authenticated user can launch an administrator level remote code execution irrespective of the authenticated user's role.

Affected Software

VendorProductVersion RangeStatus
Hitachi EnergyMicroSCADA Pro SYS6009.0affected
Hitachi EnergyMicroSCADA X SYS60010.0affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

Workarounds

Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed. We recommend following the cybersecurity deployment guideline as follows: 1MRK511518 MicroSCADA X Cyber Security Deployment Guideline.

ADP Enrichment

CVE Program Container

Additional References

References