A vulnerability that was supposedly patched last January in the Advantech WebAccess SCADA software solution for IoT environments was never actually fixed, according to a new report, and as a result the product remains susceptible to remote code execution from unauthenticated attackers.

What’s worse, a proof-of-concept exploit for this vulnerability has been publicly available since Mar. 12, warned cybersecurity company Tenable in a blog post yesterday. This means users who thought their ICS networks were protected all this time theoretically could actually have been compromised.

The vulnerability, CVE-2017-16720, is a path traversal flaw that was originally disclosed in a Jan. 4 ICS-CERT security advisory, which stated that Advantech addressed this and several other problems with the release of WebAccess Version 8.3. But Tenable reports that its researcher Chris Lyne discovered this past July that the fix never really happened. Since then, versions 8.3.1 and 8.3.2 have been released, but still with no patch, Tenable notes in its report.

Following the surprise discovery, Lyne promptly contacted both Advantech and the Department of Homeland Security’s ICS-CERT team to coordinate a response. According to Tenable, Advantec told ISC-CERT that it will release a fix in September. Although a specific date has not been provided, Tenable nonetheless held firm to its 45-day disclosure deadline of Sept. 10 and published the news yesterday.

Asked for further clarification, Tenable declined to provide a statement. SC Media also reached out to Advantech and DHS’ ICS-CERT/National Cybersecurity & Communications Integration Center (NCCIC) for comment.