Researchers have developed proof-of-concept malware capable of compromising Building Automation Systems after discovering two critical bugs in a BAS programmable logic controller (PLC).

Created by experts at ForeScout, the malware exploits both vulnerabilities in combination with several older flaws that were previously known to the public, according to a ForeScout white paper released today in conjunction with a presentation by CTO Elisa Costante at the S4x19 industrial controls systems cybersecurity conference.

In the white paper, ForeScout warns that the attack surface of BAS systems is markedly increasing due to the proliferation of IoT devices within these systems. Consequently, malicious actors could potentially take advantage, launching attacks that could, for instance, sabotage HVAC devices to overheat data centers or compromise physical access control systems in order to gain unauthorized entry to sensitive locations.

In a separate, corporate blog post, ForeScout says that company researchers last year discovered the two critical flaws in a June 2013 version of the PLC. Reportedly, the vendor was already aware of the vulnerabilities at the time of private disclosure and had patched them in an update of the device. Regardless, ForeScout insists that the problem remains serious because the issue was never reported to the public, and many organizations are still using unpatched, versions of the product. ForeScout has chosen to maintain the anonymity of the vendor.

Forescout described the first of the two critical flaws as the use of a hard-coded secret while encrypting stored user passwords. “This weakness allows an attacker to obtain the credentials of valid users of the device,” the blog post states. The second problem is a buffer overflow that can result in remote code execution on the PLC.

The summary also details five additional, lower-severity vulnerabilities found between a pair of two additional BAS devices. These flaws are not exploited by the PoC malware, and were patched by their respective vendors. ForeScout identified them as cross-site scripting, path traversal and arbitrary file deletion vulnerabilities in the LoytecLGATE-902 gateway, and cross-site scripting and authentication bypass flaws in the EasyIO 30P building management system controller.

“Besides the vulnerabilities reported here, we also found severe misconfigurations on a second-hand workstation used to manage building automation devices,” the blog post said, “which allowed us to obtain remote code execution and finally administrator privileges on the running operating system. In this case, the vendor claimed that these issues were introduced by the integrator. The fact that these kinds of vulnerabilities –  which are simple to find and fix, but also very simple to exploit – are still present in devices potentially used in critical buildings is alarming.”

Earlier this week, researchers at Tenable disclosed four vulnerabilities in IDenticard Corp.’s PremiSys building access control system, which attackers could exploit to sneak into restricted locations.