Home -> Resources -> SCADA/ICS Vulnerability Reference

SCADA/ICS Vulnerability Reference

The information contained on this page is meant to provide a compilation of reference information, including vulnerability details, exploit code (when available or allowed due to confidentiality or privacy agreements), and additional information pertaining to disclosures focused on Supervisory Control and Data Acquisition (SCADA) and Industrial Control (ICS) Systems.

Additional information regarding the automation of SCADA/ICS vulnerabilities can be found under Metasploit Modules for SCADA-related Vulnerabilities.

Coordinated Disclosures of Interest

Vendor / Description / Researcher Source CVSS
Est. Public
ABB (Luigi Auriemma) ZDI-CAN-1260 10 Apr 7, 2012
InduSoft (Alexander Gavrun) ZDI-CAN-1341 7.5 Apr 25, 2012
WellinTech (Luigi Auriemma) ZDI-11-351 10 (Dec. 22, 2011)
Avaya (Andrea Micalizzi) ZDI-CAN-1355 9.7 May 20, 2012
Honeywell anonymous ZDI-CAN-1437 7.5 May 21, 2012

ICS Vendor Security References

Emerson (DeltaV)
Rockwell Automation
Schneider Electric (Citect)


Vulnerability Summary by ICS Vendor

The system entries below which do not have a Disclosure Date have vulnerability data available, and will be posted in the near future.

Description Exploit
  CoDeSys Multiple Vulnerabilities EAC, DoS, FM Dec 2, 11
  7 Technologies 
  IGSS Buffer Overflow Vulnerability EAC, DoS   Dec 21, 11
  IGSS Data Server Buffer Overflow Vulnerability DoS   Dec 20, 11
  SafeNet Sentinel Input Sanitization Vulnerability FM Dec 12, 11
  IGSS Remote Memory Corruption EAC, DoS   Jul 8, 11
IGSS Denial of Service (DoS)
  IGSS Stack Overflows and Directory Traversal        
  IGSS Remote Stack Overflow        
  IGSS Multiple Vulnerabilities        
  IGSS ODBC Server Remote Heap Corruption        
  SCADA Viewer OPC Buffer Overflow Vulnerability        
  ADAM OPC Server ActiveX Control Buffer Overflow Vulnerability
EAC, DoS Nov 4, 11
  WebAccess ActiveX Vulnerability EAC, FM Nov 2, 11
  Multiple ActiveX Vulnerabilities in WebAccess EAC, DoS Sep 2, 11
  Studio ISSymbol ActiveX Control Buffer Overflow Vulnerabilities        
  WebAccess RPC Vulnerabilities        
  WebAccess Vulnerabilities        
  Studio Test Web Server Buffer Overflow        
  ARC Informatique
  PcVue HMI/SCADA Multiple ActiveX Vulnerabilities EAC, MC, FC, DoS Sep 27, 11
  e-terrahabitat SCADA Systems Vulnerabilities        
  webMI Web Server Multiple Remote Vulnerabilities ID, DoS Oct 10, 11
  Automated Solutions
  OPC Server Vulnerability        
  DAQFactory Stack Overflow EAC Sep 13, 11
  DAQFactory Networking Vulnerabilities        
  TwinCAT 'TCATSysSrv.exe' Network Packet DoS Vulnerability DoS Sep 13, 11
  (see Advantech)        
  Network Building Mediator Vulnerabilities        
  DataHub Multiple Vulnerabilities EAC, DT, ID, DoS Sep 13, 11
  Control Microsystems
  (see Schneider Electric)        
  IntegraXor Cross-Site Scripting (XCSS)        
  IntegraXor Unauthenticated SQL Vulnerability        
  IntegraXor Directory Traversal Vulnerability        
IntegraXor Buffer Overflow
  General Electric
  Proficy Plant Applications Buffer Overflow Vulnerability EAC, DoS   Nov 1, 11
  Proficy Historian Web Administrator XSS Vulnerability EAC   Nov 1, 11
  Proficy Plant Applications Buffer Overflow  Vulnerabilities EAC   Nov 1, 11
  TEMA Remote Installer ActiveX Vulnerability EAC, FM   Oct 12, 11
  ScanServer ActiveX Control Use-After-Free Vulnerability EAC Apr 13, 11
  Netbiter WebSCADA Mulitple Vulnerabilities        
  Devices Having Default HTTP Passwords        
  GENESIS32 Multiple Memory Corruption Vulnerabilities EAC< DoS   Sep 30, 11
  TrustedZone Vulnerability        
  Login ActiveX Vulnerability        
  GENESIS32 and BizViz ActiveX Stack Overflow        
  GENESIS32 / GENESIS64 Multiple Vulnerabiliites        
  Inductive Automation
  Ignition Disclosure Vulnerability ID Aug 19, 11
  Web Studio Multiple Vulnerabilities EAC   Nov 15, 11
  ISSSymbol ActiveX Control Buffer Overflow EAC, DoS Sep 1, 11
  ISSymbol ActiveX Control Buffer Overflows        
  WonderWare InBatch ActiveX Multiple Buffer Overflow Vulnerabilities EAC, DoS   Dec 20, 11
  Wonderware Information Server EAC   Jul 26, 11
  Wondware InBatch Client ActiveX Buffer Overflow        
  InBatch / I/A Series Batch Buffer Overflow        
  AUTOMGEN Buffer Overflow Vulnerability EAC, DoS   Oct 10, 11
  ScadaPro Multiple Vulnerabilities EAC, DT, DoS Sep 13, 11
  Promotic Use-After-Free Vulnerability EAC   Nov 29, 11
  Promotic Directory Traversal and ActiveX Control Buffer Overflow  Vulnerabilities EAC, DT, ID Oct 13, 11
  Device Manager Buffer Overflow        
  Open Automation Software
  OPC Systems.NET Vulnerability DoS Oct 12, 11
  APIFTP Server Vulnerabilities DoS, EAC Nov 28, 11
  Movicon Multiple Vulnerabilities EAC, DoS Sep 13, 11
  Movicon TCPUploadServer        
  RealWin Mulitple Vulnerabilities        
  RealWin Buffer Overflow Vulnerabilities        
  Rockwell Automation
  RSLogix Overflow Vulnerability DoS Sep 13, 11
  FactoryTalk Diag Viewer Memory        
  RSLinx Classic EDS Wizard Buffer Overflow        
  Open UDP Port in 1756-ENBT Interface Module        
  MicroLogix PLC Authentication and Authorization Vulnerabilities        
  Data Management Server Root Access        
  ModbusTagServer and ScadaPhone Remote Buffer Overflow Vulnerability EAC, DoS Sep 12, 11
  Procyon 'Coreservice.exe' Stack Buffer Overflow Vulnerability EAC, DoS Sep 7, 11
  Schneider Electric
  Quantum Etherner Module Mulitple Vulnerabilities EAC, DoS Dec 12, 11
  Vijeo Historian Web Server Multiple Vulnerabilities EAC, DT, ID Nov 28, 11
  CitectSCADA (Mitsubishi MX4 SCADA) Batch Server Buffer Overflow EAC     Nov 8, 11
  UnitelWay Device Driver Buffer Overflow EAC     Oct 20, 11
  (Control Microsystems) ClearSCADA Remote Authentication Bypass ID   Aug 25, 11
  ClearSCADA Multiple Vulnerabilities        
  Sielco Sistemi
  Winlog Buffer Overflow EAC, DoS     Dec 6, 11
  Winlog Stack Overflow        
  Tecnomatix FactoryLink Multiple ActiveX Vulnerabilities EAC, FM, FC, DoS   Jan 4, 12
  SIMATIC HMI Authentication Vulnerabilities ID Dec 22, 11
  SIMATIC WinCC Flexible Vulnerabilities EAC, FM, DoS Nov 29, 11
  Automation License Manager Multiple Vulnerabilities EAC, MM, FM, DoS Nov 28, 11
  WinCC Flexible Runtime Heap Overflow EAC, DoS   Sep 6, 11
  SIMATIC S7-300 Hardcoded Credentials ID, CDC Jul 23, 11
  Password Protection Vulnerability in SIMATIC S7 Controllers ID, CDC   Jul 5, 11
  SIMATIC S7-1200 PLC Vulnerabilities ID, CDC, DoS   Jun 10, 11
  WinCC Exploitable Crashes        
  Tecnomatix FactoryLink Multiple Vulnerabilities        
  Stuxnet (Siemens PCS7/S7) Sabatoge July 2010
  ForceControl and pNetPower Multiple Security Vulnerabilities EAC, ID, DoS Sep 22, 11
  ForceControl SCADA SEH EAC, DoS Aug 26, 11
  (see Siemens)        
  UniOPC Server Input Handling Vulnerability EAC, DoS   Oct 6, 11
KingView History Server Buffer Overflow Vulnerability EAC, DoS Dec 21, 11
  KingView 6.53 KVWebSvr ActiveX Vulnerability        
  KingView Buffer Overflow        
Wind River
  VxWorks Vulnerabilities        

  DoS = Denial of Service FM = File Modification PoC = Proof of Concept
  DT = Directory Traversal ID = Information Disclosure / Credential Stealing EAC = Execution of Arbitrary Code
  MM = Memory Modification FC = File Corruption CDC = Complete Device Compromise