The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released several Industrial Control Systems (ICS) advisories warning of critical security flaws affecting products from Sewio, InHand Networks, Sauter Controls, and Siemens.
The most severe of the flaws relate to Sewio's RTLS Studio, which could be exploited by an attacker to "obtain unauthorized access to the server, alter information, create a denial-of-service condition, gain escalated privileges, and execute arbitrary code," according to CISA.
This includes CVE-2022-45444 (CVSS score: 10.0), a case of hard-coded passwords for select users in the application's database that potentially grant remote adversaries unrestricted access.
Also notable are two command injection flaws (CVE-2022-47911 and CVE-2022-43483, CVSS scores: 9.1) and an out-of-bounds write vulnerability (CVE-2022-41989, CVSS score: 9.1) that could result in denial-of-service condition or code execution.
The vulnerabilities impact RTLS Studio version 2.0.0 up to and including version 2.6.2. Users are recommended to update to version 3.0.0 or later.
CISA, in a second alert, highlighted a set of five security defects in InHand Networks InRouter 302 and InRouter 615, including CVE-2023-22600 (CVSS score: 10.0), that could lead to command injection, information disclosure, and code execution.
"If properly chained, these vulnerabilities could result in an unauthorized remote user fully compromising every cloud-managed InHand Networks device reachable by the cloud," the agency said.
All firmware versions of InRouter 302 prior to IR302 V3.5.56 and InRouter 615 before InRouter6XX-S-V2.3.0.r5542 are susceptible to the bugs.
Security vulnerabilities have also been disclosed in Sauter Controls Nova 220, Nova 230, Nova 106, and moduNet300 that could allow unauthorized visibility to sensitive information (CVE-2023-0053, CVSS score: 7.5) and remote code execution (CVE-2023-0052, CVSS score: 9.8).
The Swiss-based automation company, however, does not plan to release fixes for the identified issues owing to the fact that the product line is no longer supported.
Lastly, the security agency detailed a cross-site scripting (XSS) flaw in Siemens Mendix SAML equipment (CVE-2022-46823, CVSS score: 9.3) that could permit a threat actor to gain sensitive information by tricking users into clicking a specially crafted link.
Users are advised to enable multi-factor authentication and update Mendix SAML to versions 2.3.4 (Mendix 8), 3.3.8 (Mendix 9, Upgrade Track), or 3.3.9 (Mendix 9, New Track) to mitigate potential risks.