Your one-stop web resource providing safety and security information to manufacturers

AVEVA has an upgrade available to mitigate an insufficiently protected credentials vulnerability in its Vijeo Citect and CitectSCADA, according to a report from NCCIC.

Successful exploitation of this vulnerability, discovered by VAPT Team, C3i Center, and IIT Kanpur, could allow a locally authenticated user to obtain Citect user credentials.

Emerson Plan for Ovation Controller Holes
Computrols Clears CBAS Web Holes
Mitsubishi Ethernet Module Firmware Fixed
Fuji Electric Fixes Alpha7 PC Loader

The following versions of Vijeo Citect and CitectSCADA, a Supervisory Control and Data Acquisition (SCADA) software, are affected:
• Vijeo Citect 7.30 and 7.40
• CitectSCADA 7.30 and 7.40

A vulnerability has been identified that may allow an authenticated local user access to Citect user credentials.

Schneider Bold

CVE-2019-10981 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

The product sees use mainly in the commercial facilities, critical manufacturing, and energy sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.

UK-based AVEVA recommends all affected users download and upgrade to CitectSCADA 2018 as soon as possible (login required).

Click here to view AVEVA’s security advisory.

Pin It on Pinterest

Share This