"CISA Warns of Serious Flaws in CONPROSYS HMI Software"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) warns of a collection of vulnerabilities in the widely deployed CONPROSYS Human-Machine Interface (HMI) software that could allow an unauthenticated, remote attacker to inject commands and execute arbitrary code. CONPROSYS is a comprehensive industrial Internet of Things (IoT) system deployed in various industries, including manufacturing, agriculture, technology, automotive, and many more. The most severe bug, tracked as CVE-2022-44456, was discovered in October 2022, when the software vendor, Contec, published a security alert and released an updated version of the product. Since then, four additional vulnerabilities have been discovered in that version. These newly identified vulnerabilities include the use of default passwords and insufficient access controls. Contec has released version 3.5.0 of CONPROSYS to fix these vulnerabilities. The original vulnerability is an OS command injection bug that could enable Remote Code Execution (RCE) for an attacker. This article continues to discuss the set of new vulnerabilities found in the CONPROSYS HMI software. 

Decipher reports "CISA Warns of Serious Flaws in CONPROSYS HMI Software"