CVE-2021-27505 – CVE-2021-27505 is an information disclosure vul... (How to Fix)

Q: What is the severity of CVE-2021-27505?

CVE-2021-27505 has a CVSS score of 7.5 (HIGH). CVE-2021-27505 is an information disclosure vulnerability in mySCADA myPRO software where unauthorized users can access sensitive directory listings. This exposes internal system information that could aid attackers in further exploitation. Organizations using mySCADA myPRO versions before 8.20.0 are affected.

📋 TL;DR

CVE-2021-27505 is an information disclosure vulnerability in mySCADA myPRO software where unauthorized users can access sensitive directory listings. This exposes internal system information that could aid attackers in further exploitation. Organizations using mySCADA myPRO versions before 8.20.0 are affected.

💻 Affected Systems

Products:

mySCADA myPRO

Versions: All versions prior to 8.20.0

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with default configurations; no special configuration required for exploitation.

📦 What is this software?

Mypro by Myscada

View all CVEs affecting Mypro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain complete directory structure, configuration files, and sensitive data, enabling reconnaissance for more severe attacks like credential theft or system compromise.

🟠

Likely Case

Unauthorized access to directory listings reveals system architecture, file paths, and potentially configuration details that could be leveraged for targeted attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to information disclosure without direct system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web access to the vulnerable endpoint; no authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.20.0

Vendor Advisory: https://www.myscada.org/version-8-20-0-released-security-update

Restart Required: Yes

Instructions:

1. Download mySCADA myPRO version 8.20.0 or later from official vendor site. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart the myPRO service/application.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to myPRO web interface using firewall rules to only allow trusted IP addresses.

Web Server Configuration

all

Configure web server to disable directory listing for sensitive paths if supported by the application.

🧯 If You Can't Patch

Implement strict network segmentation to isolate myPRO systems from untrusted networks
Deploy web application firewall (WAF) rules to block directory listing requests

🔍 How to Verify

Check if Vulnerable:

Access the myPRO web interface and attempt to browse to directory listing endpoints; if directory contents are displayed without authentication, system is vulnerable.

Check Version:

Check version in myPRO web interface admin panel or consult application documentation for version command

Verify Fix Applied:

After updating to 8.20.0+, attempt the same directory listing access; should receive access denied or proper error message.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to directory listing endpoints (e.g., /directory/, /files/) with 200 OK responses
Multiple failed authentication attempts followed by directory access

Network Indicators:

Unusual HTTP GET requests to paths that typically contain sensitive directories
Traffic from unexpected sources to myPRO web ports

SIEM Query:

source="mypro_logs" AND (url_path="*/directory/*" OR url_path="*/files/*") AND http_status=200

📊 Metadata

CVE ID: CVE-2021-27505

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-548

Published: May 13, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03 Third Party Advisory,US Government Resource
https://www.myscada.org/version-8-20-0-released-security-update Release Notes,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03 Third Party Advisory,US Government Resource
https://www.myscada.org/version-8-20-0-released-security-update Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27505, you might also want to check these: