Critical vulnerability in APSystems Altenergy Power Control
Take action: If you are using Altenergy Power Control Software, lock it down behind a VPN, place it in an internal and isolated network with need-to-access policies in place. Then start pestering Altenergy for a patch.
Learn More
CISA has identified and is escalating a critical vulnerability in Altenergy Power Control Software: C1.2.5
The vulnerability is tracked as CVE-2023-28343, (CVSS3 score 9.8) which enables remote command execution at the OS level. Successful exploitation of this vulnerability may allow remote code execution.
The Vulnerability stems from Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection'). The vulnerability resides in the timezone parameter of index.php/management/set_timezone, allowing for OS command injection via shell metacharacters in models/management_model.php
While APSystems has not responded to CISA's requests for mitigation collaboration, customers who are using Altenergy Power Control Software should contact APSystems support for more information.
CISA recommends the following defensive measures to minimize the risk of exploitation:
- Minimize network exposure for control system devices and ensure they are not accessible from the Internet.
- Isolate control system networks and remote devices behind firewalls, separating them from business networks.
- Use secure remote access methods, such as virtual private networks (VPNs), and keep VPNs updated to the latest version.
- Perform proper impact analysis and risk assessment before deploying defensive measures.
