CVE-2021-22657
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary operating system commands on mySCADA myPRO systems by injecting malicious commands through the API password parameter. It affects all versions up to and including 8.20.0, potentially compromising industrial control systems.
💻 Affected Systems
- mySCADA myPRO
📦 What is this software?
Mypro by Myscada
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover, data exfiltration, ransomware deployment, or disruption of industrial processes leading to physical damage or safety incidents.
Likely Case
Unauthorized access to the system, installation of backdoors, credential theft, and lateral movement within the network.
If Mitigated
Limited impact if systems are isolated, have strict network segmentation, and command injection attempts are blocked by security controls.
🎯 Exploit Status
Exploitation requires network access to the API endpoint but does not require authentication. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.20.1 or later
Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-21-355-01
Restart Required: Yes
Instructions:
1. Download the latest version from mySCADA official sources. 2. Backup current configuration and data. 3. Install the updated version following vendor documentation. 4. Restart the myPRO service or system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable API Access
allTemporarily disable the vulnerable API feature until patching can be completed.
Edit myPRO configuration to disable API access or remove API password functionality
Network Segmentation
allIsolate myPRO systems from untrusted networks and restrict access to authorized IPs only.
Configure firewall rules to block all external access to myPRO API ports (default 80/443)
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the myPRO API endpoints
- Deploy web application firewall (WAF) rules to detect and block command injection attempts
🔍 How to Verify
Check if Vulnerable:
Check the myPRO version in the administration interface or configuration files. If version is 8.20.0 or earlier, the system is vulnerable.Check Version:
Check the myPRO web interface or configuration files for version informationVerify Fix Applied:
Verify the installed version is 8.20.1 or later. Test API functionality to ensure it works without allowing command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual API access patterns
- Commands containing shell metacharacters in API requests
- Failed authentication attempts to API endpoints
Network Indicators:
- Unusual outbound connections from myPRO systems
- Traffic to unexpected ports or IP addresses
SIEM Query:
source="myPRO" AND (url="*api*" AND (param="*password*" AND value="*;*" OR value="*|*" OR value="*`*"))