Today CISA’s NCCIC-ICS published two control system security
advisories for products from Mitsubishi Electric and Horner Automation.
describes an improper authentication vulnerability in the Mitsubishi GOT
products. The vulnerability is self-reported. Mitsubishi provides generic
mitigation measures pending development of an updated version.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow an attacker to gain unauthorized
describes two vulnerabilities in the Horner Automation Cscape control system application
programming software. The vulnerabilities were reported by Sharon Brizinov of
Claroty. Horner has a new version that mitigates the vulnerability. There is no
indication that Brizinov has been provided an opportunity to verify the
efficacy of the fix.
The two reported vulnerabilities are:
• Improper input validation – CVE-2021-22678,
• Improper access control – CVE-2021-22682
NCCIC-ICS reports that an uncharacterized attacker with
uncharacterized access could exploit the vulnerability to allow code execution
in the context of the current process or locally escalate privileges.