Czech Republic-based mySCADA released a new version of its myPRO software to mitigate an unquoted search path vulnerability, according to a report with ICS-CERT.
An HMI/SCADA management platform, myPRO Versions 7.0.26 and prior suffer from the vulnerability, discovered by Karn Ganeshen.
Successful exploitation of this vulnerability may allow an authenticated, but nonprivileged, local user to execute arbitrary code with elevated privileges.
This vulnerability is not remotely exploitable. However, an attacker with low skill level could leverage the vulnerability. Public exploits are available.
Application services utilize unquoted search path elements, which could allow an attacker to execute arbitrary code with elevated privileges.
CVE-2017-12730 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
The product sees action in the energy, food and agriculture, transportation systems, and water and wastewater systems sectors. It also sees use on a global basis.
mySCADA released new versions that address the identified vulnerability. mySCADA recommends users update to the latest version.