The IT company’s experts discovered three vulnerabilities in the energy resource accounting devices produced by the Energomira company

The IT company’s experts discovered three vulnerabilities in the energy resource accounting devices produced by the Energomira company

Positive Technologies talked about the vulnerabilities found in energy resource metering devices. Through these breaches, potential attackers could cut off the electricity in an apartment building, office or business. The IT company’s experts discovered three vulnerabilities in the SE805M UPS manufactured by the Energomera company.

The first vulnerability discovered, BDU:2023-04841, received a near-maximum score of 9.8 out of 10 on the CVSS 3.0 Vulnerability Score. With the help of this vulnerability, it was possible to change the parameters of the equipment. The second vulnerability, BDU:2023–04842, was rated 8.1 out of 10 on the CVSS 3.0 scale and had the potential to compromise database integrity or cause a denial of service. And the latest BDU:2023–04843 also received a high score of 8.8 out of 10 on the CVSS 3.0 scale. This vulnerability could allow an attacker to modify a device setting and execute OS commands triggered by an automatic application software update.

According to monitoring data, 51% of potentially vulnerable devices are located in Russia, 28% in Azerbaijan, 2% in Germany and 1% in Kazakhstan. USPD SE805M are designed for data collection from energy resource accounting devices, transfer of received information to the upper level of ASKUE systems (automated system of commercial electricity accounting), for management and control of the state of the automation object.

This equipment is used at substations, switchboards of industrial enterprises, residential and office buildings. “Energomir” received notification of the threat as part of its policy of responsible disclosure, and has already released a software update to eliminate the vulnerabilities. The company produces more than 3 million devices annually. The manufacturer recommends updating the firmware of the device to version 4.13. Also, IT experts recommend, if possible, to limit or prohibit access to the network port intended for remote USPD configuration.

Related posts