Fidelix created a new software version to mitigate a path traversal vulnerability in its FX-20 series controllers, according to a report with ICS-CERT.
This vulnerability, discovered by researcher Semen Rozhkov of Kaspersky Lab, is remotely exploitable.
FX-20 series controllers, versions prior to 11.50.19 suffer from the issue.
Successful exploitation of this vulnerability may give an attacker the ability to read data from the device. The attacker cannot write data.
Fidelix is a Finland-based company. The affected products, FX-20 series controllers, are building controllers.
The FX-20 series controllers see action across several sectors including commercial facilities. Fidelix estimates these products see use primarily in Europe.
In the vulnerability, arbitrary file reading via path traversal allows an attacker to access arbitrary files and directories on the server.
CVE-2016-9364 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Fidelix released a new software version, 11.50.19, to address this vulnerability. Users can obtain the new version by contacting a local distributor or Fidelix support.