Immediate patching of Weintek HMI flaws recommended

SecurityWeek reports that organizations across the U.S. have been alerted by the Cybersecurity and Infrastructure Security Agency regarding three critical and high-severity Weintek cMT human-machine interface vulnerabilities, which should be immediately remediated. Attacks leveraging the flaws could facilitate authentication bypass and arbitrary command execution to eventually enable total HMI takeovers, according to TXOne Networks researcher Hank Chen, who discovered and reported the vulnerabilities. Such findings were reaffirmed by Weintek. "By combining [the vulnerabilities], a remote attacker may gain access to the system or remotely execute commands without authentication via the web server whose OS version is listed as affected," said Weintek. However, Chen noted that HMI passwords are needed for executing arbitrary commands. Such vulnerabilities come months after organizations were warned by CISA regarding flaws in Weintek's Weincloud cloud-based HMI, which TXOne researchers noted could be abused to compromise programmable logic controllers, field devices, and other industrial control systems.