Advantech B+B SmartWorx is unable to provide any kind of mitigations for its MESR901 Modbus gateway, which suffers from a use of client-side authentication vulnerability, so it is working to replace the product with a new model, according to a report from ICS-CERT.
MESR901 firmware versions 1.5.2 and prior suffer from the remotely exploitable issue.
Successful exploitation of this vulnerability, discovered by researcher Maxim Rupp, could allow an unauthenticated user to bypass authentication and access restricted pages.
The company’s headquarters are in Ottawa, IL and Galway, Ireland.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level would be able to leverage the vulnerability.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
CVE-2017-7909 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Advantech B+B SmartWorx recommends users place the device behind a firewall because it is unable to provide mitigations for this product and is working to replace it with a new model.