CVE-2015-7921
📋 TL;DR
This vulnerability involves hardcoded FTP credentials in Pro-face GP-Pro EX HMI software, allowing remote attackers to bypass authentication and gain unauthorized access. Affected organizations include industrial control system operators using vulnerable versions of this human-machine interface software. Attackers can leverage these known credentials to access FTP servers without needing to crack passwords.
💻 Affected Systems
- Pro-face GP-Pro EX EX-ED
- PFXEXEDV
- PFXEXEDLS
- PFXEXGRPLS
📦 What is this software?
Proface Gp Pro Ex Ex Ed by Schneider Electric
Proface Gp Pro Ex Pfxexedls by Schneider Electric
Proface Gp Pro Ex Pfxexedv by Schneider Electric
Proface Gp Pro Ex Pfxexgrpls by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems, allowing attackers to upload malicious firmware, modify configurations, disrupt operations, or exfiltrate sensitive industrial data, potentially leading to physical damage or safety incidents.
Likely Case
Unauthorized access to FTP servers enabling attackers to view, modify, or delete configuration files, potentially disrupting HMI operations or gaining foothold for further attacks within industrial networks.
If Mitigated
Limited impact if FTP service is disabled or network segmentation prevents external access, though internal threats from compromised devices remain possible.
🎯 Exploit Status
Exploitation requires only knowledge of hardcoded credentials and network access to FTP service; no special tools or skills needed beyond basic FTP client usage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.05.000
Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-16-096-01
Restart Required: Yes
Instructions:
1. Download version 4.05.000 or later from Pro-face/Pro-face America. 2. Backup current configurations. 3. Install the update following vendor instructions. 4. Restart the HMI system. 5. Verify FTP functionality if required.
🔧 Temporary Workarounds
Disable FTP Service
allCompletely disable the FTP server functionality if not required for operations.
Configure through HMI software settings to disable FTP service
Network Segmentation
allIsolate HMI systems in separate network segments with strict firewall rules.
Configure firewall to block FTP (port 21) traffic except from authorized management systems
🧯 If You Can't Patch
- Implement strict network access controls to limit FTP access to authorized IP addresses only
- Monitor FTP logs for unauthorized access attempts and implement intrusion detection
🔍 How to Verify
Check if Vulnerable:
Check software version in HMI system settings; if version is earlier than 4.05.000 and FTP service is enabled, system is vulnerable.Check Version:
Check version through HMI software interface or configuration filesVerify Fix Applied:
After updating to 4.05.000 or later, verify that hardcoded credentials no longer work by attempting FTP authentication with known hardcoded credentials.📡 Detection & Monitoring
Log Indicators:
- FTP authentication attempts using hardcoded credentials
- Unauthorized file uploads/downloads via FTP
Network Indicators:
- FTP traffic to/from HMI systems from unauthorized sources
- Port 21 scans targeting HMI systems
SIEM Query:
source_port=21 AND (event_type="authentication_failure" OR event_type="file_transfer") AND dest_ip=[HMI_IP_RANGE]