CVE-2024-9414 LCDS - Leão Consultoria e Desenvolvimento de Sistemas Ltda ME CVE debrief

Who should care

Organizations operating LAquis SCADA systems in manufacturing, energy, water treatment, or other industrial sectors. Security teams responsible for OT/ICS asset protection, SCADA administrators, and industrial cybersecurity practitioners should prioritize patching given the HIGH severity rating and potential for session compromise and unauthorized control actions.

Technical summary

The vulnerability exists in the web interface component of LAquis SCADA version 4.7.1.511. Insufficient input validation allows attackers to inject malicious scripts that execute in the context of authenticated users' browsers. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) indicates network attack vector, low complexity, no privileges required, user interaction required, with high confidentiality impact and low integrity impact. No availability impact is indicated. The attack surface is the SCADA web interface, commonly exposed in operational technology environments for remote monitoring and control.

Defensive priority

HIGH

Recommended defensive actions

• Update LAquis SCADA to version 4.7.1.611 or later per vendor guidance
• Implement network segmentation to restrict SCADA web interface access to authorized personnel only
• Apply principle of least privilege for SCADA system accounts
• Monitor web application logs for suspicious script injection attempts
• Review and validate all user-supplied input in SCADA web interfaces
• Consider deploying web application firewall (WAF) rules to detect and block XSS payloads

Evidence notes

CISA ICS advisory ICSA-24-291-02 published October 17, 2024, identifies XSS in LAquis SCADA 4.7.1.511 with CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N. Vendor fix available in version 4.7.1.611.

Official resources