Multiple vulnerabilities in ICONICS Products
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-2650 CVE-2023-4807 |
| CWE-ID | CWE-307 CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
ICONICS Suite Server applications / SCADA systems Energy AnalytiX Server applications / SCADA systems GENESIS64 Server applications / SCADA systems MobileHMI Mobile applications / Apps for mobile phones Hyper Historian Client/Desktop applications / Other client software |
| Vendor | ICONICS, Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Restriction of Excessive Authentication Attempts
EUVDB-ID: #VU93706
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2022-2650
CWE-ID:
CWE-307 - Improper Restriction of Excessive Authentication Attempts
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper restriction of excessive authentication attempts. A remote attacker can guess valid usernames and corresponding passwords.
MitigationInstall update from vendor's website.
Vulnerable software versionsICONICS Suite: All versions
MobileHMI: All versions
Energy AnalytiX: All versions
Hyper Historian: All versions
GENESIS64: All versions
CPE2.3- cpe:2.3:a:iconics:iconics_suite:*:*:*:*:*:*:*:*
- cpe:2.3:a:iconics:mobilehmi:*:*:*:*:*:*:*:*
- cpe:2.3:a:iconics:energy_analytix:*:*:*:*:*:*:*:*
- cpe:2.3:a:iconics:hyper_historian:*:*:*:*:*:*:*:*
- cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Input validation error
EUVDB-ID: #VU80565
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-4807
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the POLY1305 MAC (message authentication code) implementation. A remote attacker can send specially crafted input to the application and corrupt MM registers on Windows 64 platform, resulting in a denial of service condition.
Install update from vendor's website.
Vulnerable software versionsICONICS Suite: All versions
MobileHMI: All versions
Energy AnalytiX: All versions
Hyper Historian: All versions
GENESIS64: All versions
CPE2.3- cpe:2.3:a:iconics:iconics_suite:*:*:*:*:*:*:*:*
- cpe:2.3:a:iconics:mobilehmi:*:*:*:*:*:*:*:*
- cpe:2.3:a:iconics:energy_analytix:*:*:*:*:*:*:*:*
- cpe:2.3:a:iconics:hyper_historian:*:*:*:*:*:*:*:*
- cpe:2.3:a:iconics:genesis64:*:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
