PatchSiren cyber security CVE debrief
CVE-2024-3746 Measuresoft CVE debrief
CVE-2024-3746 is a medium-severity vulnerability in Measuresoft ScadaPro 6.9.0.0, published by CISA on April 16, 2024. The issue stems from insecure default file system permissions: the installation directory C:ScadaPro and all subdirectories are writable by any user, including unprivileged accounts. This local attack vector allows low-privileged users to overwrite critical application files, potentially leading to integrity compromise of the SCADA system. The CVSS 3.1 score of 5.5 reflects local attack requirements but highlights high impact to integrity. No known exploitation in ransomware campaigns has been reported.
- Vendor
- Measuresoft
- Product
- ScadaPro
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-16
- Original CVE updated
- 2024-04-16
- Advisory published
- 2024-04-16
- Advisory updated
- 2024-04-16
Who should care
Organizations operating Measuresoft ScadaPro 6.9.0.0 in industrial control or SCADA environments should prioritize this fix. System administrators responsible for Windows-based SCADA deployments, OT security teams, and compliance officers managing NERC CIP or IEC 62443 adherence should address this permission misconfiguration. Asset owners in critical infrastructure sectors including energy, water, and manufacturing using this software should audit their installations.
Technical summary
The vulnerability exists in the default installation configuration of Measuresoft ScadaPro 6.9.0.0 on Windows systems. The C:ScadaPro directory and its entire subdirectory tree are created with overly permissive access control lists (ACLs) that grant write access to all users (BUILTINUsers or equivalent). This allows any authenticated user with local access to modify, replace, or delete application binaries, configuration files, and data files. Successful exploitation could result in denial of service, application manipulation, or potential code execution if malicious files are loaded by privileged processes. The attack requires local access and low privileges, with no user interaction needed.
Defensive priority
medium
Recommended defensive actions
- Manually reconfigure C:ScadaPro directory and all subdirectories to remove write permissions for unprivileged users, restricting access to only necessary administrative or service accounts.
- Apply principle of least privilege to all SCADA system directories and regularly audit file system permissions on industrial control systems.
- Review CISA's ICS recommended practices for defense-in-depth strategies applicable to industrial control environments.
- Monitor for unauthorized file modifications in ScadaPro installation directories through file integrity monitoring solutions.
Evidence notes
The vulnerability description and remediation guidance are sourced from CISA's CSAF-formatted advisory, which identifies the affected product as Measuresoft ScadaPro version 6.9.0.0. The CVSS vector confirms local attack vector with low attack complexity and high integrity impact.
Official resources
-
CVE-2024-3746 CVE record
CVE.org
-
CVE-2024-3746 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-24-107-01 on April 16, 2024, disclosing this vulnerability with vendor-coordinated guidance.