CVE-2021-43981
📋 TL;DR
CVE-2021-43981 is a critical OS command injection vulnerability in mySCADA myPRO versions 8.20.0 and earlier. Attackers can execute arbitrary operating system commands through email parameters, potentially compromising the entire system. This affects industrial control systems using vulnerable mySCADA myPRO installations.
💻 Affected Systems
- mySCADA myPRO
📦 What is this software?
Mypro by Myscada
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with system privileges, potentially disrupting industrial operations, stealing sensitive data, or deploying ransomware.
Likely Case
Attackers gain shell access to the underlying operating system, enabling lateral movement, data exfiltration, or installation of persistent backdoors.
If Mitigated
With proper network segmentation and access controls, impact is limited to the myPRO application server, though command execution remains possible.
🎯 Exploit Status
The vulnerability is easily exploitable with publicly available proof-of-concept code. No authentication is required to trigger the vulnerable email function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.21.0 and later
Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-21-355-01
Restart Required: Yes
Instructions:
1. Download mySCADA myPRO version 8.21.0 or later from the official vendor portal. 2. Backup current configuration and data. 3. Stop the myPRO service. 4. Install the updated version. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Disable Email Functionality
allTemporarily disable the email sending feature to prevent exploitation
Navigate to myPRO configuration > Email Settings > Disable all email functionality
Network Segmentation
allIsolate myPRO systems from internet and restrict internal access
Configure firewall rules to block inbound connections to myPRO ports (typically 80, 443, 8080)
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to myPRO systems
- Deploy application-level firewalls or WAFs with command injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check myPRO version in the web interface or configuration files. Versions 8.20.0 or earlier are vulnerable.Check Version:
mypro --version (Linux) or check About in web interfaceVerify Fix Applied:
Verify version is 8.21.0 or later in the web interface or via 'mypro --version' command.📡 Detection & Monitoring
Log Indicators:
- Unusual email sending attempts with suspicious parameters
- System command execution from myPRO process
- Failed authentication attempts followed by email function calls
Network Indicators:
- HTTP POST requests to email endpoints with command injection patterns
- Outbound connections from myPRO to unexpected destinations
SIEM Query:
source="mypro" AND ("email" OR "sendmail") AND (cmd.exe OR /bin/bash OR powershell)