There are three vulnerabilities with proof of concept (PoC) exploit code affecting MICROSYS, spol. s r.o. Promotic, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product.
All three vulnerabilities are remotely exploitable, according to the report, which released without coordination with either the vendor or ICS-CERT.
ICS-CERT has not yet verified the vulnerabilities or PoC code, but has reached out to the affected vendor to initiate a coordinated process of validation and mitigation. ICS-CERT is issuing this alert to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks posed by these vulnerabilities.
The report included vulnerability details and PoC exploit code for the following vulnerabilities: Directory traversal, which is remotely exploitable that could lead to a data leakage; stack overflow, which is remotely exploitable that could lead to a denial of service and possible remote code execution, and a heap overflow, which is remotely exploitable that could lead to a denial of service and possible remote code execution.
MICROSYS, spol. s r.o. is a Czech company with headquarters in Ostrava. Promotic is SCADA HMI software that includes support for a web interface and works with Microsoft Windows.