Home -> Resources -> SCADA/ICS Vulnerability Reference

SCADA/ICS Vulnerability Reference

The information contained on this page is meant to provide a compilation of reference information, including vulnerability details, exploit code (when available or allowed due to confidentiality or privacy agreements), and additional information pertaining to disclosures focused on Supervisory Control and Data Acquisition (SCADA) and Industrial Control (ICS) Systems.

Additional information regarding the automation of SCADA/ICS vulnerabilities can be found under Metasploit Modules for SCADA-related Vulnerabilities.

Coordinated Disclosures of Interest

Vendor / Description / Researcher Source CVSS
Score
Est. Public
Disclosure
ABB (Luigi Auriemma) ZDI-CAN-1260 10 Apr 7, 2012
InduSoft (Alexander Gavrun) ZDI-CAN-1341 7.5 Apr 25, 2012
WellinTech (Luigi Auriemma) ZDI-11-351 10 (Dec. 22, 2011)
Avaya (Andrea Micalizzi) ZDI-CAN-1355 9.7 May 20, 2012
Honeywell anonymous ZDI-CAN-1437 7.5 May 21, 2012

ICS Vendor Security References

Vendor
Emerson (DeltaV)
Honeywell
Invensys
Rockwell Automation
Schneider Electric (Citect)
Siemens

 

Vulnerability Summary by ICS Vendor

The system entries below which do not have a Disclosure Date have vulnerability data available, and will be posted in the near future.

Description Exploit
Type
Remote
Exploit
PoC
Available
Disclosure
Date
  3S 
  CoDeSys Multiple Vulnerabilities EAC, DoS, FM Dec 2, 11
           
  7 Technologies 
  IGSS Buffer Overflow Vulnerability EAC, DoS   Dec 21, 11
  IGSS Data Server Buffer Overflow Vulnerability DoS   Dec 20, 11
  SafeNet Sentinel Input Sanitization Vulnerability FM Dec 12, 11
  IGSS Remote Memory Corruption EAC, DoS   Jul 8, 11
IGSS Denial of Service (DoS)
  IGSS Stack Overflows and Directory Traversal        
  IGSS Remote Stack Overflow        
  IGSS Multiple Vulnerabilities        
  IGSS ODBC Server Remote Heap Corruption        
           
  ABB
  SCADA Viewer OPC Buffer Overflow Vulnerability        
           
  Advantech
  ADAM OPC Server ActiveX Control Buffer Overflow Vulnerability
EAC, DoS Nov 4, 11
  WebAccess ActiveX Vulnerability EAC, FM Nov 2, 11
  Multiple ActiveX Vulnerabilities in WebAccess EAC, DoS Sep 2, 11
  Studio ISSymbol ActiveX Control Buffer Overflow Vulnerabilities        
  WebAccess RPC Vulnerabilities        
  WebAccess Vulnerabilities        
  Studio Test Web Server Buffer Overflow        
           
  ARC Informatique
  PcVue HMI/SCADA Multiple ActiveX Vulnerabilities EAC, MC, FC, DoS Sep 27, 11
           
  AREVA
  e-terrahabitat SCADA Systems Vulnerabilities        
           
  atvise
  webMI Web Server Multiple Remote Vulnerabilities ID, DoS Oct 10, 11
           
  Automated Solutions
  OPC Server Vulnerability        
           
  AzeoTech
  DAQFactory Stack Overflow EAC Sep 13, 11
  DAQFactory Networking Vulnerabilities        
           
  Beckhoff
  TwinCAT 'TCATSysSrv.exe' Network Packet DoS Vulnerability DoS Sep 13, 11
           
  Broadwin
  (see Advantech)        
           
  Cisco
  Network Building Mediator Vulnerabilities        
           
  Cogent
  DataHub Multiple Vulnerabilities EAC, DT, ID, DoS Sep 13, 11
           
  Control Microsystems
  (see Schneider Electric)        
           
  Ecava
  IntegraXor Cross-Site Scripting (XCSS)        
  IntegraXor Unauthenticated SQL Vulnerability        
  IntegraXor Directory Traversal Vulnerability        
IntegraXor Buffer Overflow
           
  General Electric
  Proficy Plant Applications Buffer Overflow Vulnerability EAC, DoS   Nov 1, 11
  Proficy Historian Web Administrator XSS Vulnerability EAC   Nov 1, 11
  Proficy Plant Applications Buffer Overflow  Vulnerabilities EAC   Nov 1, 11
           
  Honeywell
  TEMA Remote Installer ActiveX Vulnerability EAC, FM   Oct 12, 11
  ScanServer ActiveX Control Use-After-Free Vulnerability EAC Apr 13, 11
           
  Intellicom
  Netbiter WebSCADA Mulitple Vulnerabilities        
  Devices Having Default HTTP Passwords        
           
  Iconics
  GENESIS32 Multiple Memory Corruption Vulnerabilities EAC< DoS   Sep 30, 11
  TrustedZone Vulnerability        
  Login ActiveX Vulnerability        
  GENESIS32 and BizViz ActiveX Stack Overflow        
  GENESIS32 / GENESIS64 Multiple Vulnerabiliites        
           
  Inductive Automation
  Ignition Disclosure Vulnerability ID Aug 19, 11
  InduSoft
  Web Studio Multiple Vulnerabilities EAC   Nov 15, 11
  ISSSymbol ActiveX Control Buffer Overflow EAC, DoS Sep 1, 11
  ISSymbol ActiveX Control Buffer Overflows        
           
  Invensys
  WonderWare InBatch ActiveX Multiple Buffer Overflow Vulnerabilities EAC, DoS   Dec 20, 11
  Wonderware Information Server EAC   Jul 26, 11
  Wondware InBatch Client ActiveX Buffer Overflow        
  InBatch / I/A Series Batch Buffer Overflow        
           
  IRAI
  AUTOMGEN Buffer Overflow Vulnerability EAC, DoS   Oct 10, 11
           
  Measuresoft
  ScadaPro Multiple Vulnerabilities EAC, DT, DoS Sep 13, 11
           
  Microsys
  Promotic Use-After-Free Vulnerability EAC   Nov 29, 11
  Promotic Directory Traversal and ActiveX Control Buffer Overflow  Vulnerabilities EAC, DT, ID Oct 13, 11
           
  Moxa
  Device Manager Buffer Overflow        
           
  Open Automation Software
  OPC Systems.NET Vulnerability DoS Oct 12, 11
           
  Optima
  APIFTP Server Vulnerabilities DoS, EAC Nov 28, 11
           
  Progea
  Movicon Multiple Vulnerabilities EAC, DoS Sep 13, 11
  Movicon TCPUploadServer        
           
  RealFlex
  RealWin Mulitple Vulnerabilities        
  RealWin Buffer Overflow Vulnerabilities        
           
  Rockwell Automation
  RSLogix Overflow Vulnerability DoS Sep 13, 11
  FactoryTalk Diag Viewer Memory        
  RSLinx Classic EDS Wizard Buffer Overflow        
  Open UDP Port in 1756-ENBT Interface Module        
  MicroLogix PLC Authentication and Authorization Vulnerabilities        
           
  Samsung
  Data Management Server Root Access        
           
  ScadaTEC
  ModbusTagServer and ScadaPhone Remote Buffer Overflow Vulnerability EAC, DoS Sep 12, 11
           
  Scadatec
  Procyon 'Coreservice.exe' Stack Buffer Overflow Vulnerability EAC, DoS Sep 7, 11
           
  Schneider Electric
  Quantum Etherner Module Mulitple Vulnerabilities EAC, DoS Dec 12, 11
  Vijeo Historian Web Server Multiple Vulnerabilities EAC, DT, ID Nov 28, 11
  CitectSCADA (Mitsubishi MX4 SCADA) Batch Server Buffer Overflow EAC     Nov 8, 11
  UnitelWay Device Driver Buffer Overflow EAC     Oct 20, 11
  (Control Microsystems) ClearSCADA Remote Authentication Bypass ID   Aug 25, 11
  ClearSCADA Multiple Vulnerabilities        
           
  Sielco Sistemi
  Winlog Buffer Overflow EAC, DoS     Dec 6, 11
  Winlog Stack Overflow        
           
  Siemens
  Tecnomatix FactoryLink Multiple ActiveX Vulnerabilities EAC, FM, FC, DoS   Jan 4, 12
  SIMATIC HMI Authentication Vulnerabilities ID Dec 22, 11
  SIMATIC WinCC Flexible Vulnerabilities EAC, FM, DoS Nov 29, 11
  Automation License Manager Multiple Vulnerabilities EAC, MM, FM, DoS Nov 28, 11
  WinCC Flexible Runtime Heap Overflow EAC, DoS   Sep 6, 11
  SIMATIC S7-300 Hardcoded Credentials ID, CDC Jul 23, 11
  Password Protection Vulnerability in SIMATIC S7 Controllers ID, CDC   Jul 5, 11
  SIMATIC S7-1200 PLC Vulnerabilities ID, CDC, DoS   Jun 10, 11
  WinCC Exploitable Crashes        
  Tecnomatix FactoryLink Multiple Vulnerabilities        
  Stuxnet (Siemens PCS7/S7) Sabatoge July 2010
           
  Sunway
  ForceControl and pNetPower Multiple Security Vulnerabilities EAC, ID, DoS Sep 22, 11
  ForceControl SCADA SEH EAC, DoS Aug 26, 11
           
  Technomatix
  (see Siemens)        
           
  Unitronics
  UniOPC Server Input Handling Vulnerability EAC, DoS   Oct 6, 11
WellinTech
KingView History Server Buffer Overflow Vulnerability EAC, DoS Dec 21, 11
  KingView 6.53 KVWebSvr ActiveX Vulnerability        
  KingView Buffer Overflow        
           
Wind River
  VxWorks Vulnerabilities        
           


  Definitions:    
  DoS = Denial of Service FM = File Modification PoC = Proof of Concept
  DT = Directory Traversal ID = Information Disclosure / Credential Stealing EAC = Execution of Arbitrary Code
  MM = Memory Modification FC = File Corruption CDC = Complete Device Compromise