mySCADA myPRO Manager Missing Authentication Vulnerability Allowing Unauthorized Access and File Uploads

A vulnerability exists in mySCADA myPRO Manager versions prior to 1.4, allowing the administrative web interface to be accessed without authentication. This could enable an unauthorized attacker to retrieve sensitive information and upload files without needing a password. Additionally, this vulnerability is associated with cleartext storage of sensitive information, including credentials, which could be exploited to gain further access or information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the administrative interface, allowing attackers to access sensitive information and upload files without authentication. This vulnerability also facilitates cross-site request forgery (CSRF) attacks, where an attacker could trick a victim into performing actions on the myPRO Manager interface that could compromise their account or data.

Remediation

Users are advised to update to mySCADA myPRO Manager version 1.4. CISA recommends minimizing network exposure for control system devices, using firewalls to isolate these devices from business networks, and employing secure remote access methods such as VPNs.