CVE-2015-7911
📋 TL;DR
This vulnerability allows remote attackers to gain administrative access to Saia Burgess industrial control system devices via hardcoded FTP credentials. Affected organizations include industrial facilities, manufacturing plants, and critical infrastructure using these specific PCD series controllers. Attackers can fully compromise device security without needing legitimate credentials.
💻 Affected Systems
- PCD1.M0xx0
- PCD1.M2xx0
- PCD2.M5xx0
- PCD3.Mxx60
- PCD3.Mxxx0
- PCD7.D4xxD
- PCD7.D4xxV
- PCD7.D4xxWTPF
- PCD7.D4xxxT5F
- PCD3.T665
- PCD3.T666
📦 What is this software?
Pcd1.m0xx0 Firmware by Saia Burgess Controls
Pcd1.m2xx0 Firmware by Saia Burgess Controls
Pcd2.m5xx0 Firmware by Saia Burgess Controls
Pcd3.mxx60 Firmware by Saia Burgess Controls
Pcd3.mxxx0 Firmware by Saia Burgess Controls
Pcd3.t665 Firmware by Saia Burgess Controls
Pcd3.t666 Firmware by Saia Burgess Controls
Pcd7.d4xxd Firmware by Saia Burgess Controls
Pcd7.d4xxd Svga Mb Firmware by Saia Burgess Controls
Pcd7.d4xxv Firmware by Saia Burgess Controls
Pcd7.d4xxv Vga Mb Firmware by Saia Burgess Controls
Pcd7.d4xxwtpf Firmware by Saia Burgess Controls
Pcd7.d4xxwtpf Wvga Mb Firmware by Saia Burgess Controls
Pcd7.d4xxxt5f Firmware by Saia Burgess Controls
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to operational disruption, safety hazards, data theft, or physical damage to industrial processes.
Likely Case
Unauthorized access to device configuration, potential malware installation, data exfiltration, and disruption of industrial operations.
If Mitigated
Limited impact if devices are air-gapped, network segmentation prevents FTP access, or compensating controls detect unauthorized access attempts.
🎯 Exploit Status
Exploitation requires only FTP client access to device IP with hardcoded credentials. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.24.50 for most devices, 1.24.41 for PCD3.T665/T666
Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-15-335-01
Restart Required: Yes
Instructions:
1. Download firmware update from Saia Burgess support portal. 2. Backup current configuration. 3. Apply firmware update via appropriate method (USB, network). 4. Verify successful update. 5. Change all default credentials after update.
🔧 Temporary Workarounds
Disable FTP Service
allDisable FTP service on affected devices if not required for operations.
Device-specific configuration command to disable FTP service
Network Segmentation
linuxIsolate affected devices in separate VLAN with strict firewall rules blocking FTP access.
# Example firewall rule: iptables -A INPUT -p tcp --dport 21 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to block all FTP traffic (port 21) to affected devices
- Monitor FTP authentication logs for unauthorized access attempts and implement intrusion detection
🔍 How to Verify
Check if Vulnerable:
Attempt FTP connection to device port 21 using known hardcoded credentials (consult ICS-CERT advisory for specifics).Check Version:
Device-specific command via web interface or serial console to display firmware versionVerify Fix Applied:
Verify firmware version is at or above patched version and test that hardcoded credentials no longer work.📡 Detection & Monitoring
Log Indicators:
- Successful FTP logins from unexpected IPs
- Multiple failed FTP login attempts
- Configuration changes via FTP
Network Indicators:
- FTP traffic to industrial control devices
- Port 21 connections from external networks
SIEM Query:
source_port=21 AND (dest_ip IN [industrial_device_ips])