Risk evaluation has revealed two vulnerabilities in the web configuration service of a certain device. The first vulnerability is an authenticated command injection which, if the attacker has the necessary credentials, could allow them to gain full control of the device. The second vulnerability is a stored cross-site scripting vulnerability which could be used to execute remote code. To mitigate the risk of exploitation, Delta Electronics has released a patch and CISA recommends users take defensive measures such as minimizing network exposure and using secure methods such as Virtual Private Networks. CISA also provides a section for control systems security recommended practices and has published a technical information paper with additional mitigation guidance and recommended practices. If suspicious activity is observed, organizations should report it to CISA.
This Cyber News was published on us-cert.cisa.gov. Publication date: Thu, 02 Feb 2023 17:44:03 +0000