News for January 18, 2023


Unpatched Zoho Devices
by Artie Kaye

A proof of concept exploit will be made public soon regarding a vulnerability that was patched last year in many Zoho ManageEngine products. The remote code execution flaw does not require authentication to use. As with all instances of security holes being made known to the public an increase of attacks will follow shortly after. If you are using any of the programs listed in the first link below, patch them at your soonest availability.

The flaw is listed as CVE-2022-47966.

https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html

https://www.darkreading.com/application-security/unpatched-zoho-mangeengine-products-under-active-attack

https://www.securityweek.com/researchers-brace-zoho-manageengine-spray-and-pray-attacks

https://thehackernews.com/2023/01/zoho-manageengine-poc-exploit-to-be.html

CISA Advises Patching Flaws in ICS
by Artie Kaye

Vulnerabilities in various industrial control systems are outlined by CISA with mitigations and solutions. The items below are companies and their respective devices which can be patched. Due to the high severity of the flaws, it is recommended patching as soon as possible.

GE
Proficy Historian

Mitsubishi
Electric MELSEC iQ-F, iQ-R Series

Siemens
SINEC INS
S7-1500 CPU devices
Mendix SAML Module
Automation License Manager
Solid Edge before V2023 MP1

Contec
CONPROSYS HMI System (CHS) (Update A)

Sewio
RTLS Studio

RONDS
Equipment Predictive Maintenance Solution

InHand
Networks InRouter

Panasonic
Sanyo CCTV Network Camera

SAUTER
Controls Nova 200 – 220 Series (PLC 6)

Johnson
Controls Metasys

Hitachi
Energy Lumada APM

Philips
Patient Information Center iX (PIC iX) and Efficia CM Series (Update A)

https://www.cisa.gov/uscert/ncas/current-activity/2023/01/12/cisa-releases-twelve-industrial-control-systems-advisories

https://www.cisa.gov/uscert/ncas/current-activity/2023/01/17/cisa-releases-four-industrial-control-systems-advisories

https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html