CVE-2023-49960 is a path traversal vulnerability identified in the Indo-Sol PROFINET-INspektor NT firmware versions up to 2.4.0. The vulnerability exists in the httpuploadd service, specifically in the handling of the /upload endpoint. An attacker can exploit this flaw by crafting a malicious filename parameter in an HTTP request to the /upload endpoint, which allows them to write files to arbitrary locations on the device's filesystem. This type of vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The CVSS base score is 7.5, categorizing it as a high-severity issue. The impact primarily affects the integrity of the system, as unauthorized file writes can lead to modification or replacement of critical files, potentially enabling further compromise or persistent access. There is no indication of confidentiality or availability impact directly from this vulnerability. No patches or vendor advisories are currently available, and no known exploits have been reported in the wild as of the publication date (February 26, 2024). The Indo-Sol PROFINET-INspektor NT is a network monitoring tool used in industrial environments, particularly for PROFINET industrial Ethernet networks, which are common in manufacturing and critical infrastructure sectors. The ability to write arbitrary files remotely could allow attackers to implant malicious payloads, alter configurations, or disrupt monitoring capabilities, posing significant risks to industrial control systems (ICS).

For European organizations, especially those operating in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability poses a significant risk. PROFINET is widely used in European industrial environments, including automotive manufacturing, energy production, and utilities. Exploitation could lead to unauthorized modification of device firmware or configuration files, potentially disrupting industrial network monitoring and control processes. This could result in undetected malicious activity, operational downtime, or sabotage of industrial processes. Given the lack of authentication and the network-exposed nature of the vulnerability, attackers could leverage this flaw to establish persistence or pivot within industrial networks. The impact on integrity is critical in ICS environments where data accuracy and system reliability are paramount. Although no availability impact is directly indicated, indirect effects such as system misconfiguration or corrupted monitoring data could degrade operational safety and efficiency. The absence of known exploits in the wild suggests limited current active targeting, but the high severity and ease of exploitation warrant immediate attention from European organizations relying on Indo-Sol PROFINET-INspektor NT devices.

Implement network segmentation to isolate PROFINET-INspektor NT devices from general IT networks and restrict access to the /upload endpoint to trusted management stations only. Deploy strict firewall rules and intrusion detection/prevention systems (IDS/IPS) to monitor and block suspicious HTTP requests targeting the /upload endpoint, especially those containing unusual filename parameters. Conduct thorough inventory and asset management to identify all Indo-Sol PROFINET-INspektor NT devices in the environment and assess their firmware versions. Apply compensating controls such as disabling or restricting the httpuploadd service if feasible until an official patch is released by the vendor. Monitor device logs and network traffic for anomalous upload attempts or unauthorized file modifications. Engage with Indo-Sol or authorized vendors to obtain information on upcoming patches or firmware updates addressing this vulnerability and plan timely deployment once available. Educate operational technology (OT) security teams on this vulnerability and ensure incident response plans include scenarios involving ICS device compromise through file manipulation.