CVE-2024-4708 mySCADA CVE debrief

Who should care

Organizations operating mySCADA myPRO in industrial control system environments, including manufacturing, energy, water/wastewater, and critical infrastructure sectors. Security teams responsible for OT/ICS asset protection and vulnerability management programs.

Technical summary

The mySCADA myPRO application contains a hard-coded password vulnerability that enables unauthenticated remote attackers to execute arbitrary code on affected devices. The vulnerability is network-exploitable with low attack complexity, requiring no privileges or user interaction. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Affected versions: myPRO < 8.31.0. Remediation: upgrade to myPRO 8.31.0.

Defensive priority

critical

Recommended defensive actions

• Update mySCADA myPRO to version 8.31.0 or later immediately
• Verify no unauthorized access occurred on affected systems prior to patching
• Review system logs for anomalous remote connections or code execution indicators
• Implement network segmentation for ICS/SCADA systems per CISA recommended practices
• Apply defense-in-depth controls including access restrictions and monitoring for industrial control systems

Evidence notes

CISA ICS advisory ICSA-24-184-02 confirms the hard-coded password vulnerability in myPRO versions before 8.31.0, with CVSS 3.1 score of 9.8. The advisory was published on 2024-07-02 with initial revision. No KEV listing or known ransomware campaign use is documented.

Official resources