PatchSiren cyber security CVE debrief
CVE-2024-50054 mySCADA CVE debrief
A path traversal vulnerability in mySCADA myPRO Manager and myPRO Runtime allows unauthenticated remote attackers to retrieve arbitrary files from the underlying file system. The backend fails to sufficiently validate a user-controlled filename parameter, enabling directory traversal sequences to escape intended access boundaries. This vulnerability affects myPRO Manager versions prior to 1.3 and myPRO Runtime versions prior to 9.2.1. The issue carries a HIGH severity CVSS 3.1 score of 7.5, indicating significant risk to affected industrial control system environments. CISA published this advisory on November 21, 2024 as ICSA-24-326-07.
- Vendor
- mySCADA
- Product
- myPRO Manager
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-21
- Original CVE updated
- 2024-11-21
- Advisory published
- 2024-11-21
- Advisory updated
- 2024-11-21
Who should care
Organizations operating mySCADA myPRO Manager or myPRO Runtime in industrial control system (ICS) environments, including manufacturing facilities, energy utilities, water treatment plants, and other critical infrastructure sectors. Security teams responsible for OT/ICS asset protection, SCADA system administrators, and compliance officers managing NERC CIP or IEC 62443 security programs should prioritize assessment and remediation.
Technical summary
The mySCADA myPRO Manager and myPRO Runtime products contain a path traversal vulnerability in their backend file handling functionality. The application accepts a user-controlled filename parameter without adequate validation or sanitization, allowing an attacker to inject directory traversal sequences (such as ../) to navigate outside the intended directory structure. This enables unauthenticated remote attackers to read arbitrary files from the server's file system, potentially exposing sensitive configuration data, credentials, or system files. The vulnerability is network-exploitable with low attack complexity and requires no privileges or user interaction. Affected versions include myPRO Manager prior to 1.3 and myPRO Runtime prior to 9.2.1. The vendor has released patched versions that address this validation deficiency.
Defensive priority
HIGH
Recommended defensive actions
- Update mySCADA myPRO Manager to version 1.3 or later
- Update mySCADA myPRO Runtime to version 9.2.1 or later
- Apply network segmentation to limit exposure of mySCADA systems to untrusted networks
- Implement input validation and sanitization for filename parameters in custom applications
- Monitor for anomalous file access patterns in myPRO Manager and Runtime deployments
- Review and apply CISA ICS recommended practices for industrial control system security
Evidence notes
Vulnerability description and affected product versions derived from CISA CSAF advisory ICSA-24-326-07. CVSS score and severity from official CVE record. Vendor remediation guidance explicitly recommends updating to myPRO Manager 1.3 and myPRO Runtime 9.2.1.
Official resources
-
CVE-2024-50054 CVE record
CVE.org
-
CVE-2024-50054 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-21