Industrial automation solutions provider MDT Software has patched several critical and high-severity vulnerabilities in its flagship product, MDT AutoSave.
MDT AutoSave is an automation change management solution that provides backup, version control, historical tracking, user permission, audit trail, change detection, and disaster recovery capabilities for a wider range of industrial control systems (ICS), including PLC, CNC, SCADA, HMI, robots, drives, and welders.
The product is used by some of the world’s biggest manufacturers, including major car makers (Tesla, Kia, BMW, Hyundai, Honda), Coca Cola, P&G, Johnson & Johnson, AstraZeneca, and Nestlé Purina.
Researchers at industrial cybersecurity firm Claroty discovered that MDT AutoSave is affected by seven types of vulnerabilities, including two rated critical and five rated high severity.
Sharon Brizinov, who leads the Vulnerability Research Team at Claroty, told SecurityWeek that an attacker needs network access to the MDT AutoSave server in order to exploit the vulnerabilities.
According to an advisory published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), one of the critical vulnerabilities, CVE-2021-32953, can be exploited to create a new user in the system by using SQL commands, and update that user’s permissions, which allows the attacker to log into the system.
Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series
The second critical flaw, CVE-2021-32933, has been described as a command injection issue and it can be exploited to run a malicious process.
“[CVE-2021-32933] could have enabled an ..
Support the originator by clicking the read the rest link below.
