Moxa updated its SoftCMS Live Viewer product to fix a SQL injection vulnerability, according to a report with ICS-CERT.
SoftCMS Live Viewer, Version 1.6 and prior versions suffer from the issue. SoftCMS Live Viewer is video surveillance software designed for industrial automation systems.
Successful exploitation of this vulnerability, discovered by Security researcher Ziqiang Gu from Huawei WeiRan Labs, could allow an unauthenticated user to access SoftCMS Live Viewer without knowing the user’s password.
No known public exploits specifically target this vulnerability.
An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability has been identified. Attackers can exploit this vulnerability to access SoftCMS without knowing the user’s password.
CVE-2017-50137 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The product sees use mainly in the critical manufacturing, energy and transportation systems sectors. It also sees action on a global basis.
Taiwan-based Moxa has provided software update Version 1.7 for SoftCMS Live Viewer which fixes this vulnerability. Moxa recommends users update to the new version.