CVE-2023-35189
📋 TL;DR
CVE-2023-35189 is a critical remote code execution vulnerability in Iagona ScrutisWeb versions 2.1.37 and earlier. Unauthenticated attackers can upload malicious payloads and execute arbitrary code on affected systems. Organizations using vulnerable versions of this industrial control system software are at immediate risk.
💻 Affected Systems
- Iagona ScrutisWeb
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, install malware, pivot to internal networks, disrupt industrial operations, and potentially cause physical damage.
Likely Case
Attackers gain initial foothold, deploy ransomware or cryptocurrency miners, steal sensitive industrial data, and maintain persistent access for further attacks.
If Mitigated
Attack attempts are blocked at network perimeter, detected by security controls, and logged for investigation with minimal operational impact.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. CISA has confirmed active exploitation in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.38 or later
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03
Restart Required: Yes
Instructions:
1. Contact Iagona for updated version 2.1.38 or later. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the ScrutisWeb service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate ScrutisWeb systems from untrusted networks and internet access
Web Application Firewall
allDeploy WAF with rules to block malicious file uploads and RCE attempts
🧯 If You Can't Patch
- Immediately disconnect vulnerable systems from internet and untrusted networks
- Implement strict network access controls allowing only necessary connections from trusted sources
🔍 How to Verify
Check if Vulnerable:
Check ScrutisWeb version in administration interface or configuration files. If version is 2.1.37 or earlier, system is vulnerable.Check Version:
Check web interface at /admin or examine application configuration files for version informationVerify Fix Applied:
Verify version is 2.1.38 or later in administration interface. Test file upload functionality with safe test files.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to ScrutisWeb
- Suspicious process execution from web server context
- Failed authentication attempts followed by successful file uploads
Network Indicators:
- HTTP POST requests with unusual file extensions to ScrutisWeb endpoints
- Outbound connections from ScrutisWeb server to unknown external IPs
SIEM Query:
source="scrutisweb" AND (event="file_upload" OR event="command_execution")