Research

Security Advisories
Software issues found by Dragos

Dragos Intel conducts hands-on research and testing for ICS/OT software, devices, and protocols to discover and address security vulnerabilities.

This list of advisories provides insight into the specific vulnerabilities reported. It is updated recently as we discover vulnerabilities.

Threat Level

Name

CVE ID

Vulnerability Type

Affects

Limited Threat

Unitronics Vision Standard

CVE-2024-1480
 
 

Unauthenticated Password Retrieval

Vision 230, Vision 280, Vision 290, Vision 530, Vision 120: All versions

Limited Threat

Mitsubishi Electric’s MELSEC iQ-R Safety CPU and SIL2 Process CPU Module

CVE-2023-6815
 
 

Incorrect Privilege Assignment

MELSEC iQ-R Series Safety CPU (R08/16/32/120SFCPU): all versions., MELSEC iQ-R Series SIL2 Process CPU (R08/16/32/120PSFCPU): all versions.

Immediate Action

Phoenix Contact: Classic line industrial controllers

CVE-2023-46143
 
 

Integrity check fails to identify out-of-band logic changes

Automation Worx Software Suite: All versions, AXC 1050 (2700988): All versions, AXC 1050 XC (2701295): All versions, AXC 3050 (2700989): All versions, Config+: All versions, FC 350 PCI ETH (2730844): All versions , ILC1x0: All versions, ILC1x1: All versions, ILC 3xx: All versions, PC Worx: All versions, PC Worx Express: All versions, PC WORX RT BASIC (2700291): All versions, PC WORX SRT (2701680): All versions, RFC 430 ETH-IB (2730190): All versions, RFC 450 ETH-IB (2730200): All versions, RFC 460R PN 3TX (2700784): All versions, RFC 470S PN 3TX (2916794): All versions, RFC 480S PN 4TX (2404577): All versions

Limited Threat

Phoenix Contact: PLCnext

CVE-2023-46142
 
 

Incorrect Permission Assignment for Critical Resource

AXC F 1152 (1151412): v2024.0 and prior. , AXC F 2152 (2404267): v2024.0 and prior. , AXC F 3152 (1069208): v2024.0 and prior. , BPC 9102S (1246285): v2024.0 and prior. , EPC 1502 (1185416): v2024.0 and prior. , EPC 1522 (1185423): v2024.0 and prior. , PLCnext Engineer (1046008): v2024.0 and prior. , RFC 4072R (1136419): v2024.0 and prior. , RFC 4072S (1051328): v2024.0 and prior.

Limited Threat

Phoenix Contact: Automation Worx and classic line controllers

CVE-2023-46141
 
 

Incorrect Permission Assignment for Critical Resource

Automation Worx Software Suite: All versions, AXC 1050 (2700988): All versions, AXC 1050 XC (2701295): All versions, AXC 3050 (2700989): All versions, Config+: all versions, FC 350 PCI ETH (2730844): All versions, ILC1x0: All versions, ILC1x1: All versions, ILC 3xx: All versions, PC Worx: All versions, PC Worx Express: All versions, PC WORX RT BASIC (2700291): All versions, PC WORX SRT (2701680): All versions, RFC 430 ETH-IB (2730190): All versions, RFC 450 ETH-IB: (2730200): All versions, RFC 460R PN 3TX (2700784): All versions, RFC 470S PN 3TX (2916794): All versions, RFC 480S PN 4TX (2404577): All versions

Limited Threat

Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK

CVE-2023-0757
 
 

CVE-2023-5592
 
 

Incorrect Permission Assignment for Critical Resource

Integrity check fails to identify out-of-band logic changes

MULTIPROG: All versions, ProConOS eCLR (SDK): All versions

Possible Threat

Siemens Spectrum Power 7 Local Privilege Escalation

CVE-2023-38557
 
 

Local M2:M36 Privilege Escalation

Spectrum Power 7 version V23Q3 and earlier.

Limited Threat

SEL acSELerator RTAC Software Vulnerabilities

CVE-2023-31167
 
 

CVE-2023-34391
 
 

Directory Traversal

Insecure Filesystem Permissions

SEL-5033 version 1.35.151.20000 and earlier, SEL-5036 version 1.0.49152.777 and earlier

Limited Threat

OPTO 22 SNAP PAC S1 Vulnerabilities

CVE-2023-40706
 
 

CVE-2023-40708
 
 

CVE-2023-40709
 
 

CVE-2023-40710
 
 

Improper Restriction of Excessive Authentication Attempts

Improper Authorization

Denial of Service (DoS)

Denial of Service (DoS)

OPTO 22 SNAP PAC S1: Firmware version R10.3b

Limited Threat

Siemens Software Center DLL Hijacking Issues

CVE-2021-41544
 
 

CVE-2022-25634
 
 

Uncontrolled Search Path Element

Uncontrolled Search Path Element

Siemens Software Center versions prior to v3.0.

Possible Threat

PTC’s KEPServerEX Vulnerabilities

CVE-2023-29444
 
 

CVE-2023-29445
 
 

CVE-2023-29446
 
 

CVE-2023-29447
 
 

DLL Hijacking

DLL Hijacking

UNC Path Injection

Insufficiently Protected Credentials

PTC’s KEPServerEx, v6.13.250.0 and prior

Limited Threat

Omron PLC and Engineering Software Network and File Format Access

CVE-2022-45790
 
 

CVE-2019-18269
 
 

CVE-2022-45792
 
 

CVE-2022-45793
 
 

CVE-2022-45794
 
 

CVE-2022-34151
 
 

CVE-2022-33971
 
 

CVE-2023-0811
 
 

Memory protection is vulnerable to brute force.

Memory protection may be set to non-ASCII characters

File formats vulnerable to Zip-Slip

Binaries are writable by low-privileged users

File transfer lacks authentication

Backdoor account with administrative privileges

Arbitrary code execution to an authenticated attacker

Unauthenticated user to set arbitrary passwords

Omron PLC CJ series, All versions, Omron PLC CS series, All versions, Omron PLC CP series, All versions, Omron PLC NX series, All versions, Omron Safety Controllers (SL3300): All versions

Limited Threat

Digi TransPort Gateway Vulnerability

CVE-2022-4046
 
 

CVE-2022-4224
 
 

CVE-2023-29446
 
 

Insufficient Read and Write Protection to Logic and Runtime Data

Access to Sensitive System Files

CODESYS Control for BeagleBone SL: All Versions, CODESYS Control for emPC-A/iMX6 SL: All Versions, CODESYS Control for IOT2000 SL: All Versions, CODESYS Control for Linux SL: All Versions, CODESYS Control for PFC100 SL: All Versions, CODESYS Control for PFC200 SL: All Versions, CODESYS Control for PLCnext SL: All Versions, CODESYS Control for Raspberry Pi SL: All Versions, CODESYS Control for WAGO Touch Panels 600 SL: All Versions, CODESYS Control RTE (for Beckhoff CX) SL: All Versions, CODESYS Control RTE (SL): All Versions, CODESYS Control Runtime System Toolkit: All Versions, CODESYS Control Win (SL): All Versions, CODESYS HMI (SL): All Versions, CODESYS Control RTE (SL): Prior to v3.5.19.0, CODESYS Control RTE (for Beckhoff CX) SL: Prior to v3.5.19.0, CODESYS Control Win (SL): Prior to v3.5.19.0, CODESYS Runtime Toolkit: Prior to v3.5.19.0, CODESYS Safety SIL2 Runtime Toolkit: Prior to v3.5.19.0, CODESYS Safety SIL2 PSP: Prior to v3.5.19.0, CODESYS HMI (SL): Prior to v3.5.19.0, CODESYS Development System V3: Prior to v3.5.19.0, CODESYS Control for BeagleBone SL: Prior to V4.8.0.0, CODESYS Control for emPC-A/iMX6 SL: Prior to V4.8.0.0, CODESYS Control for IOT2000 SL: Prior to V4.8.0.0, CODESYS Control for Linux SL: Prior to V4.8.0.0, CODESYS Control for PFC100 SL: Prior to V4.8.0.0 , CODESYS Control for PFC200 SL: Prior to V4.8.0.0, CODESYS Control for PLCnext SL: Prior to V4.8.0.0 , CODESYS Control for Raspberry Pi SL: Prior to V4.8.0.0, CODESYS Control for WAGO Touch Panels 600 SL: Prior to V4.8.0.0

Limited Threat

CODESYS V2 and V3 Logic Integrity and Permissions Issues

CVE-2023-28355
 
 

Integrity check fails to identify out-of-band logic changes

CODESYS Control V3 (All Versions)

Limited Threat

Moxa NPort 6000 and RealCOM Encryption Weakness and Missing Authentication

CVE-2022-43993
 
 

CVE-2022-43994
 
 

PITM and Traffic Intercept

No Client Authentication

NPort 6000 Series: v2.2 and prior, Windows Driver Manager Series (Windows 7 to 10 and Windows Server 2008 R2 to 2019, WHQL certified): v3.4 and prior, Windows Driver Manager Series (Windows 11 and Server 2022 and later, WHQL certified): v4.0 and prior

Limited Threat

Emerson AMS Device Manager Remote Access and Privilege Elevation

CVE-2022-31652
 
 

CVE-2022-31653
 
 

Network Share Exposure with Default Credentials

Local Credential Exposure

AMS Device Manager: v14.5 an prior

Possible Threat

Schneider Electric’s Easergy Builder Installer Code Execution

CVE-2022-34755​
 
 

Uncontrolled Search Path Element

Easergy Builder: v1.6.7.0 and prior

Limited Threat

Automation Direct’s DirectLogic 06 PLC, C-More EA9 HMI, and ECOM Ethernet Module

CVE-2022-2006
 
 

CVE-2022-2005
 
 

CVE-2022-2004
 
 

CVE-2022-2003
 
 

Uncontrolled Resource Consumption

Cleartext Transmission of Sensitive Information

Uncontrolled Resource Consumption

Insufficiently Protected Credentials

DirectLogic 06 PLCs prior to v2.72, ECOM Ethernet module, C-More HMI

Limited Threat

PHOENIX CONTACT’s RAD-ISM-900-EN-BD Devices

CVE-2022-29898
 
 

CVE-2022-29897
 
 

RCE and Unrestricted File Upload via Configuration Uploader

RCE via Traceroute Utility

RAD-ISM-900-EN-BD: all versions, RAD-ISM-900-EN-BD/B: all versions, RAD-ISM-900-EN-BD-BUS: all versions

Limited Threat

GE MDS Radio Network and Serial Vulnerabilities

CVE-2017-17562
 
 

CVE-2022-24119
 
 

CVE-2022-24116
 
 

CVE-2022-24118
 
 

CVE-2022-24120
 
 

CVE-2022-24117
 
 

Unauthenticated Remote Code Execution

iNET and iNET-II Factory Backdoor Use

iNET and iNET-II Wi-Fi Security Weaknesses

Factory Reset Authentication System

iNET and iNET-II Plaintext storage of system credentials

Unprotected Firmware Update

iNET/iNET II series radio firmware versions prior to rev. 8.3.0, SD series radio firmware versions prior to rev. 6.4.7, TD220X series radio firmware versions prior to rev. 2.0.16, TD220MAX series radio firmware versions prior to rev. 1.2.6

Limited Threat

Emerson Secure Setup Utility Certificate Weaknesses

CVE-2021-37581
 
 

CVE-2021-37582
 
 

Man-in-the-middle

Weak File Permissions

Emerson Security Setup Utility: v1.6.8 and prior, PlantWeb Insight: v2.3.4 and prior, Emerson v4 WirelessHART Gateways, (1410, 1420, 1552, 1410D): v4.8.0 and prior, Emerson v6 WirelessHART Gateways (1410S): v6.6.0 and prior

Limited Threat

Lilee Systems/Alstom Rail CMU-2110

CVE-2022-23407
 
 

CVE-2022-23406
 
 

CVE-2022-23405
 
 

CVE-2022-23404
 
 

Unauthenticated firmware update

Backdoor accounts including remote ‘root’ access

Unprotected bootloader access via Diagnostic Port

PTC Message Access and Manipulation

v2.6_build38. Other versions may also be affected

Limited Threat

Moxa Multiple Vulnerabilities

CVE-2021-37752
 
 

CVE-2021-37753
 
 

CVE-2021-37755
 
 

CVE-2021-37757
 
 

CVE-2021-37751
 
 

CVE-2021-37754
 
 

CVE-2021-37758
 
 

CVE-2021-37756
 
 

Authenticated Command Injection via HTTP

Authentication Bypass via Moxa Service

Plaintext Credential Storage

Unauthenticated Buffer Overflow via Moxa Service

Missing Brute Force Protections for Moxa Service

Valid User Disclosure via Moxa Service

Cross-site Scripting

Unprotected Firmware Update

TAP-213 Series: v1.2 and prior, OnCell G3150A: v1.5 and prior, OnCell G3470A: v1.7 and prior, WDR-3124A: v1.3 and prior, AWK-3131A: v1.16 and prior, AWK-4131A: v1.16 and prior, AWK-1131A: v1.22 and prior, AWK-1137C: v1.6 and prior

Limited Threat

AVEVA Edge Vulnerabilities

CVE-2021-42796
 
 

CVE-2021-42794
 
 

CVE-2021-42797
 
 

CVE-2021-42795
 
 

Improper Access Control

Exposure of Sensitive Information to an Unauthorized Actor

Path Traversal

Uncontrolled Resource Consumption

AVEVA Edge and InduSoft Web Studio R2020 and prior.

Possible Threat

mySCADA myDESIGNER Zip Slip

CVE-2021-41578
 
 

Path Traversal

mySCADA myDESIGNER 8.20.0 and below

Possible Threat

LCDS LAquis SCADA

CVE-2021-41579
 
 

Path Traversal

LAquis SCADA 4.3.1.1085 and below

Possible Threat

Schneider Electric’s GP Pro Ex

CVE-2021-22775
 
 

Uncontrolled Search Path Element

GP-Pro EX: v4.09.250 and prior.

Limited Threat

Emerson WirelessHART Gateways

CVE-2021-31528
 
 

CVE-2021-31527
 
 

CVE-2021-31526
 
 

CVE-2021-28490
 
 

CVE-2006-3082
 
 

CVE-2006-6235
 
 

CVE-2007-1263
 
 

CVE-2021-31529
 
 

Code execution via Undocumented Hardware Interfaces

Web application user permissions enforced in client browser

Web application directory traversal allows overwriting firmware

Web application cross-site request forgery

Upgrade and licensing features may allow arbitrary code execution and signature bypass

Upgrade and licensing features may allow arbitrary code execution and signature bypass

Upgrade and licensing features may allow arbitrary code execution and signature bypass

Unauthenticated user may retrieve WirelessHART Network ID and Join Key

1420 gateway: firmware v4.6.59 , 1410 gateway: firmware v4.5.27, Likely other 1410, 1420, and 1552WU firmware versions are also affected

Possible Threat

RemotePC Vulnerabilities

CVE-2021-34687
 
 

CVE-2021-34688
 
 

CVE-2021-34689
 
 

CVE-2021-34690
 
 

CVE-2021-34691
 
 

CVE-2021-34692
 
 

Personal Key sent over the network in a recoverable form

Personal Key stored encrypted with static key

Plaintext Personal Key in log files

Cloud authentication bypass

Remote denial of service

Privilege escalation to SYSTEM

RemotePC for Windows before 7.6.48, RemotePC for Linux before 4.0.1

Limited Threat

Schneider Electric PowerLogic Products

CVE-2021-22763
 
 

CVE-2021-22764
 
 

CVE-2021-22765
 
 

CVE-2021-22766
 
 

CVE-2021-22767
 
 

CVE-2021-22768
 
 

Backdoor Web Server Administrator Account

Hidden Functionality

Stack-based Buffer Overflow

Memory Corruption Denial of Service

Stack-based Buffer Overflow

Stack-based Buffer Overflow

PowerLogic EGX100: All versions, PowerLogic EGX300: All versions, PowerLogic PM5560: prior to v2.8.3, PowerLogic PM5561: prior to 10.7.3, PowerLogic PM5562: All versions, PowerLogic PM5563: prior to v2.8.3, PowerLogic PM8ECC: All versions

Possible Threat

VIPA WinPLC7

CVE-2021-31218
 
 

CVE-2021-31219
 
 

Stack-based Buffer Overflow

DLL Hijacking

WinPLC7 v6 and prior.

Limited Threat

Tofino Xenon Security Appliance

CVE-2021-30061
 
 

CVE-2021-30062
 
 

CVE-2021-30063
 
 

CVE-2021-30064
 
 

CVE-2021-30065
 
 

CVE-2021-30066
 
 

Code execution via USB

OPC Classic DPI bypass

OPC Classic System Memory Exhaustion

Use of Default Credentials

Modbus DPI bypass

Firmware signature verification bypass via USB

Tofino Xenon 3.2 and below, Eaton Tofino 2.2.01 and below, Eagle20 Tofino 2.2.01 and below, Exxon Tofino 2.2.00 and below

Limited Threat

Yokogawa Centum VP DCS HIS

N/A
 
 

Hard-coded Windows Credentials

Hard-coded HTTP Credentials

Named Pipe Command Injection

HTTP Arbitrary File Read/Write

CAMS Log Server DoS

CAMS Log Server Directory Traversal

CAMS Arbitrary Log Entries and Log Overwriting

Named Pipe Arbitrary File Deletion

Scheduler Privilege Escalation

Dynamic-Link Library (DLL) Planting Privilege Escalation

Yokogawa Centum VP R6.07.

Limited Threat

Ovarro / CSE Semaphore TBox and TwinSoft

CVE-2020-28988
 
 

CVE-2020-28989
 
 

CVE-2020-28990
 
 

CVE-2020-28987
 
 

Project File May Be Overwritten Without Authentication

HTTP Server Buffer Overflow

Project File May Be Overwritten Without Authentication

Project File Contains Reversible Passcode

TBox Lite: all versions, TwinSoft: all versions, TBox LT2, MS, Nano, TG2, and RM2 are vulnerable to CVE-2020-28987, CVE-2020-28988: all versions

Limited Threat

Fieldcomm Group HART-IP and hipserver

CVE-2020-16209
 
 

Stack-based Buffer Overflow

HART-IP Developer kit: Release 1.0.0.0, hipserver: Release 3.6.1

Limited Threat

Digi Serial Converters and Utility Software

CVE-2020-24357
 
 

CVE-2020-24358
 
 

CVE-2020-24694
 
 

CVE-2020-24695
 
 

Cross-site Scripting

Denial of Service

Undesired Modification of Device Settings

Malicious Insertion

Digi One SP devices: firmware v82000774_Y 08/26/2019 and prior, Digi Device Discover: v1.6.19.0. and prior

Possible Threat

PACTware Software

CVE-2020-9403
 
 

CVE-2020-9404
 
 

Storing Passwords in a Recoverable Format

Incorrect Permission Assignment for Critical Resource

PACTware: v4.1SP4 (4.1.0.50) and v5.0 (5.0.4.20) 

Limited Threat

Siemens TIA Portal V15

CVE-2019-13928
 
 

Memory Corruption

TIA Portal: prior to v1.0 SP1 Upd1.

Immediate Action

Schneider Electric SoMachine Basic software, M221, M241, AND M2** PLCS

CVE-2018-7821
 
 

CVE-2018-7822
 
 

CVE-2018-7823
 
 

Incorrect Default Permissions

Missing Authentication for Critical Function

Unauthenticated Configuration

SoMachine Basic: v1.6SP2, Modicon M221: v1.5.0.0, Modicon M241: v4.0.6.38

Limited Threat

Panduit IntraVUE

CVE-2019-0199
 
 

CVE-2019-13039
 
 

CVE-2019-13043
 
 

CVE-2019-13042
 
 

CVE-2019-13040
 
 

Cross-Site Request Forgery (CSRF)

Use of Hard-coded Credentials

Information Disclosure

Loss of View

Loss of Control

IntraVUE: v3.1.2

Limited Threat

General Electric Communicator

CVE-2019-6564
 
 

CVE-2019-6546
 
 

CVE-2019-6548
 
 

CVE-2019-6544
 
 

CVE-2019-6566
 
 

Uncontrolled Search Path Element

Uncontrolled Search Path Element

Use of Hard-coded Credentials

Improper Access Control

Improper Access Control

GE Communicator: prior to v4.0.517

Limited Threat

Triconex TCM Module Vulnerabilities

N/A
 
 

Hidden Functionality

Triconex TCM4351: v10.4.1 and prior, Triconex TCM4354: v10.4.1 and prior

Limited Threat

GoAhead Web Server

CVE-2011-4273
 
 

CVE-2009-5111
 
 

CVE-2003-1569
 
 

CVE-2003-1568
 
 

CVE-2002-2431
 
 

CVE-2002-2430
 
 

CVE-2002-2429
 
 

CVE-2002-2428
 
 

CVE-2002-2427
 
 

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Resource Exhaustion

Memory Corruption

Improper Input Validation

Uncaught Exception

Denial of Service CPU Consumption

Denial of Service Daemon Crash

Denial of Service Pointer Dereference and Daemon Crash

Unauthorized Access and Authentication Bypass

GoAhead Web Server: prior to v4.0.1.

Possible Threat

Rockwell Automation Connected Components Workbench / Program Updater / Other Issues

CVE-2017-5176
 
 

DLL Hijacking

Connected Components Workbench, v9.01.00 and earlier.

Report Vulnerabilities in the Dragos Platform, Hardware, Services, and Threat Intelligence solutions