CVE-2019-11536

Vulnerability

Kalkitech SYNC3000 Substation DCU GPC versions 2.22.6, 2.23.0, 2.24.0, 3.0.0, 3.1.0, 3.1.16, 3.2.3, 3.2.6, 3.5.0, 3.6.0, and 3.6.1, when WebHMI is not installed, contain a vulnerability that allows an attacker to inject client-side commands or scripts to be executed on the device with privileged access. The flaw resides in the webserver interface and does not require authentication.

Exploitation

An attacker with network connectivity to the device can exploit the webserver interface, typically through a browser, by sending crafted requests that inject client-side commands or scripts. No authentication is required, and the attack can be performed remotely over the network.

Impact

Successful exploitation allows the attacker to execute arbitrary client-side commands or scripts on the device with privileged access. This could lead to unauthorized information disclosure, modification of device settings, or further compromise of the substation network.

Mitigation

As of the publication date, no official patch or mitigation has been disclosed in the available references [1]. Users are advised to monitor vendor security advisories and consider network segmentation or firewall rules to restrict access to the affected devices until a fix is released.