Access Control Flaws

28 Jan 2018

[ICS] Trihedral VTScada (more) Multiple Vulnerabilities

Vendor: Trihedral
Equipment: VTScada
Vulnerabilities: Improper Access Control, Uncontrolled Search Path Element

ICS-CERT Advisory:



Trihedral Engineering Limited reports that the vulnerability affects the following versions of the VTScada HMI and SCADA software:

  • VTScada 11.3.03 and prior.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

Read on for details.

Read more

05 Jan 2018

Cambium Networks Services Server (CNSS) – Access Control Flaws

Cambium Networks Services Server (CNSS) - Access Control Flaws

This 0-day report was submitted to Cambium via Beyond Trust's SSD program and resolved back in November 2017. Forgot to push this out. Publishing the report now.

Cambium Networks Services Server (CNSS) - Official Cambium software tool to manage Cambium ePMP devices

The Cambium Networks Services (CNS) Server is a network management application provided by Cambium Networks to manage ePMP devices.

Centrally manage the distribution of software upgrades to your ePMP network via a standard web browser

Vulnerable versions – - (current at the time of reporting)

Fixed - a patch was released for which fixes these issues

Vulnerability Summary

  1. It is possible for an un-authenticated user to access sensitive configuration files from the server.
  2. It is possible for a low-privileged user to access restricted, sensitive information.

Read on for details.

Read more

28 Oct 2017

[ICS] JanTek JTC-200 RS232-NET Converter Advisory Published

Vendor: JanTek
Equipment: JTC-200
Vulnerabilities: Cross-site Request Forgery, Improper Authentication

ICS-CERT Advisory



The following versions of JTC-200, a TCP/IP converter, are affected:

  • JTC-200 all versions.


Successful exploitation of these vulnerabilities could allow for remote code execution on the device with elevated privileges.

Read on for details.

Read more

07 Apr 2017

[ICS] Cambium ePMP SNMP Security Vulnerabilities

Cambium SNMP Security Vulnerabilities

Late last year, in 2016, I decided to take a look at SNMP implementation in Cambium ePMP appliances. After a few hours of checking out supported OIDs and corresponding device operations, the security issues stood out glaringly. The vendor, to the most part, attributed these (read: pass the ball) to SNMP v1/2c, which is inherently insecure; and IMO, still haven't actually fixed the core issues. Why is this significant? Because, simply put, anyone can easily exploit these flaws to take over ePMP devices, and gather sensitive information.


  1. Cambium ePMP 1000
  2. Cambium ePMP 2000
  3. Cambium PMP XXX
  4. Cambium ForceXXX models
  5. Potentially all other models

These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.

Read on for details & poc.

Read more

07 Apr 2017

[ICS] SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

SenNet is a trademark of Satel Spain that offers monitoring and remote-control solutions for businesses. Our engineers develop, integrate and test the products of SenNet in our facilities in Madrid (Spain).

1. No access control on the remote shell
2. Shell services running with excessive privileges (superuser)
3. OS Command Injection
4. Insecure Transport

Read on for poc.

Read more

20 Mar 2017

[ICS] LAquis SCADA Advisory Access Control Vulnerability

ICS-CERT published an advisory on one of my reports recently -


Vendor: LCDS - Leão Consultoria e Desenvolvimento de Sistemas LTDA ME
Equipment: LAquis SCADA
Vulnerability: Improper Access Control

ICS-CERT Advisory


The following versions of LAquis SCADA, an industrial automation software, are affected:
LAquis SCADA software, Versions 4.1 and prior versions released before January 20, 2017.

Read on for details and poc.

Read more