Envitech Ltd. has an update available to mitigate an improper authentication vulnerability in its EnviDAS Ultimate, according to a report with ICS-CERT.
A web application for environmental monitoring, EnviDAS Ultimate Versions prior to v22.214.171.124 suffer from the remotely exploitable issue, discovered by Can Demirel of Biznet Bilisim who also tested the patch.
Successful exploitation of this vulnerability could allow an attacker to view and edit settings without authenticating and execute code remotely.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
The web application lacks proper authentication which could allow an attacker to view information and modify settings or execute code remotely.
CVE-2017-9625 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.2.
The product sees use in the commercial facilities, communications, and water and wastewater systems sectors. It also sees action on a global basis.
Israel-based Envitech Ltd., recommends that users of affected versions update to the latest version of v126.96.36.199 or newer. The update can be obtained by emailing Envitech Ltd.