Multiple critical flaws reported in mySCADA myPRO product
Take action: We all know the obvious mitigation - isolate your SCADA software from the internet into a separate network. But it appears that there are systems which have been exposed. And even if it's not exposed, having four critical flaws and two perfect 10 flaws demands a patch. Don't delay this, it will be painful now but less painful than being hacked.
Learn More
Multiple critical vulnerabilities have been discovered in mySCADA myPRO, an industrial automation system developed by the Czech company mySCADA. The system, which provides human-machine interface (HMI) and supervisory control and data acquisition (SCADA) capabilities for industrial process control, is deployed worldwide across critical manufacturing sectors.
The vulnerabilities affect two main components: myPRO Manager and myPRO Runtime, specifically versions prior to Manager 1.3 and Runtime 9.2.1. These security flaws were discovered by cybersecurity researcher Michael Heinzl and reported to CISA in July and August 2024.
Critical Vulnerabilities:
- CVE-2024-47407 (CVSS score 10) - OS Command Injection that allows unauthenticated remote attackers to inject arbitrary operating system commands and affects the parameter validation within myPRO Manager.
- CVE-2024-52034 (CVSS score 10) - OS Command Injection, similar to the first vulnerability but in a different component. Enables arbitrary command injection by unauthenticated remote attackers.
- CVE-2024-47138 (CVSS score 9.3) - Missing Authentication - administrative interface listens by default on all interfaces and no authentication is required when accessing critical functions.
- CVE-2024-45369 (CVSS score 9.2) - Improper Authentication - Implements weak authentication mechanism, and affects verification of authenticated and authorized requests
- CVE-2024-50054 (CVSS score 8.7) - Path Traversal - insufficient verification of user-controlled filename parameters that enables retrieval of arbitrary files from the system
The vulnerabilities could allow complete compromise of affected systems, including unauthorized admin access and elevated privileges.
According to internet scanning engine Censys, several dozen mySCADA HMIs are currently exposed to the internet, though the number of vulnerable systems is undetermined. By default, the vulnerable service listens on all network interfaces after installation, increasing potential exposure.
Mitigation: mySCADA has released patches addressing these vulnerabilities in:
- myPRO Manager version 1.3
- myPRO Runtime version 9.2.1
Users are strongly advised to update to these latest versions immediately. For systems that cannot be updated immediately, CISA recommends implementing network isolation, using VPNs for remote access, and following defense-in-depth strategies.
