On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a critical advisory highlighting a serious vulnerability impacting ME RTU remote terminal units. This flaw, identified as CVE-2023-2131, has been assigned a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS), underscoring its potential for exploitation due to low attack complexity.
The agency noted that successful exploitation could lead to remote code execution, presenting significant risks to organizations utilizing affected versions of INEA ME RTU firmware preceding version 3.36. This command injection vulnerability poses direct threats to industrial control systems, which are vital for various sectors including energy and manufacturing.
This vulnerability was brought to CISA’s attention by security researcher Floris Hendriks of Radboud University, marking a key instance of collaborative cybersecurity efforts between professionals and governmental agencies.
In conjunction with this advisory, CISA also released an alert regarding multiple security vulnerabilities in Intel® processors that affect Mitsubishi Electric’s Factory Automation (FA) products. These vulnerabilities could lead to privilege escalation and denial-of-service (DoS) scenarios, intensifying concerns over the security posture of critical operational technologies.
In light of these developments, CISA has encouraged organizations relying on critical infrastructure to review their supply chain security. Specifically, it urged them to consult the Federal Communications Commission’s (FCC) Covered List—a compilation of communications equipment considered to pose national security threats.
CISA is also advocating for the adoption of guidelines from the National Institute of Standards and Technology (NIST) to help organizations identify, assess, and mitigate vulnerabilities within their supply chains. They also emphasize the importance of enrolling in CISA’s complimentary Vulnerability Scanning service, which assists in identifying and addressing high-risk devices.
These initiatives align with broader collaborative efforts among cybersecurity authorities in nations including Australia, Canada, the United Kingdom, Germany, the Netherlands, New Zealand, and the U.S. to enact “secure by design” practices in product development, signifying a critical shift towards enhanced cybersecurity standards across industries.