Sauter will not mitigate an authentication bypass vulnerability in its NovaWeb web HMI application since the company discontinued the product in 2013 and is no longer supported, according to a report with ICS-CERT.
This vulnerability, discovered by independent researcher Maxim Rupp, is remotely exploitable.
NovaWeb web HMI, all versions suffer from the issue.
An attacker can bypass authentication by modifying values in a cookie.
Sauter is a Germany-based company that also maintains an office in Switzerland.
The affected product, novaWeb web HMI, is a web-based HMI system. Sauter officials said novaWeb sees action in the commercial facilities and critical manufacturing sectors. Sauter estimates this product sees use primarily in Europe.
Essentially, the application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure the cookie is valid for the associated user.
CVE-2016-5782 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.