Cybersecurity experts have identified serious vulnerabilities within widely used industrial VPN systems, which are crucial for accessing operational technology (OT) networks remotely. These vulnerabilities may enable malicious actors to manipulate data, execute harmful code, or interfere with industrial control systems (ICS), raising significant security concerns across various sectors.
A newly released report from Claroty, a leader in industrial cybersecurity, details multiple critical vulnerabilities affecting enterprise-grade VPN installations, including the Secomea GateManager M2M Server, Moxa EDR-G902, and EDR-G903, as well as HMS Networks’ eWon’s eCatcher VPN client. The affected systems are prevalent in industries such as oil and gas, water utilities, and electric utilities, allowing remote access to ICS and associated devices, including programmable logic controllers (PLCs).
Researchers from Claroty indicated that the exploitation of these vulnerabilities could allow unauthorized attackers direct access to ICS devices, with the potential for causing substantial physical damage. In particular, the Secomea GateManager was found to harbor several security issues, notably a critical vulnerability (CVE-2020-14500) that permits arbitrary data overwriting, arbitrary code execution, and the initiation of denial-of-service conditions by leveraging weak hash algorithms to compromise user passwords.
The GateManager acts as a remote access server deployed globally, providing users secure connections to internal networks via an encrypted tunnel without complex server setups. However, researchers discovered that inadequate handling of HTTP request headers makes the system susceptible to remote code execution without requiring user authentication. Such a vulnerability could yield full access to a victim’s internal network, including the ability to decrypt the VPN’s traffic.
In Moxa’s EDR-G902 and EDR-G903 industrial VPN servers, a stack-based buffer overflow vulnerability (CVE-2020-14511) was identified, triggered through specially crafted HTTP requests, thus allowing remote code execution without the need for authentication. Similarly, HMS Networks’ eCatcher VPN client was found vulnerable to a critical stack-based buffer overflow (CVE-2020-14498) that could be exploited through manipulated HTML elements in emails or websites, granting attackers complete control over the compromised machine.
Following the discovery of these vulnerabilities, all three vendors promptly addressed the issues, releasing security updates to mitigate the risks. Secomea recommends users update to the newly released GateManager versions 9.2c or 9.2i. Moxa users should upgrade their EDR-G902 and EDR-G903 products to version v5.5, while HMS Networks advises updating eCatcher to version 6.5.5 or a later version.
In the context of the MITRE ATT&CK framework, these incidents illustrate tactics such as initial access—where attackers exploit vulnerabilities to gain entry into a system—and privilege escalation, which could enable unauthorized actors to escalate their access rights and control over the targeted systems. Business owners must remain vigilant regarding these vulnerabilities and promptly apply updates to protect their industrial systems from potential exploitation.
Following these developments, it is essential for businesses engaged in sectors reliant on industrial VPN technologies to be aware of emerging threats and ensure the integrity of their operational technology systems. Continual monitoring and taking advantage of available security advancements are crucial steps in defending against evolving cybersecurity risks.
