Vulnerable mySCADA myPRO human-machine interface and supervisory control and data acquisition systems could be subjected to remote unauthenticated hijacking through the exploitation of five new publicly disclosed flaws, four of which were of critical severity while the other was of high severity, SecurityWeek reports.
Threat actors could leverage the bugs — which include improper and missing authentication, OS command injection, and path traversal vulnerabilities that have already been addressed by mySCADA after reporting by cybersecurity researcher Michael Heinzl — to execute arbitrary OS commands with escalated privileges and obtain unwarranted system and file access. Dozens of myPRO instances were discovered by a Censys search to be online but their susceptibility to intrusions exploiting the vulnerabilities remains uncertain. Moreover, no active exploitation of the flaws has been noted by the Cybersecurity and Infrastructure Security Agency. Such a development comes three years after Heinzl reported numerous critical security issues impacting myPRO implementations.
