Ecava updated its software to fix a SQL injection vulnerability in its IntegraXor product, according to a report with ICS-CERT.
Independent researchers Brian Gorenc and Juan Pablo Lopez working with Trend Micro’s Zero Day Initiative discovered the remotely exploitable vulnerability.
IntegraXor Version 5.0.413.0 suffers from the issue.
A successful exploit of this vulnerability could lead to arbitrary data leakage, data manipulation, and remote code execution.
The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection. If the queries do not end up sanitized, the host’s database could be subject to read, write, and delete commands.
CVE-2016-8341 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
While no known public exploits specifically target this vulnerability, an attacker with a low skill level would be able to exploit the vulnerability.
The IntegraXor web server sees action in the critical manufacturing, energy, water and wastewater systems, and transportation systems. The product mainly sees use in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
Malaysia-based Ecava provided a software update V5.2.722.2 for IntegraXor, which fixes this vulnerability and recommends users update to the new version.