WebsiteGear Logo Log In
New User? Sign Up
About | Contact | FAQ
  Home News Web Hosting Computer Hardware Wednesday, July 8, 2026 
Add Press Release News | News Feeds Feeds | Email This News Email


SCADAfence Discovers First-Ever Vulnerabilities In Widely Deployed BMS Devices
Friday, August 19, 2022

NIST Issues 4 CVE's Resulting From SCADAfence's Findings

RAMAT GAN, Israel, Aug. 11, 2022 /PRNewswire/ -- SCADAfence, the global technology leader in OT & IoT cyber security, today announced that their cyber security research team has discovered major vulnerabilities on multiple industrial devices that have no previous CVEs.

In response, NIST has issued the first-ever CVEs for Alerton, a subsidiary of Honeywell. The most serious of the vulnerabilities received a base score of 8.8, indicating that NIST believes it to be a very high-impact exposure in Alerton's product.

The new CVEs affect the Ascent suite of products commonly used in industrial Building Management System (BMS). Left unhandled, these vulnerabilities could allow users with malicious intent to access Alerton's controllers and make unauthorized configuration changes to BMS devices. The changes would not be reflected in the user interface, making them likely to go undetected.

"The vulnerabilities discovered by the SCADAfence research team could lead to a major cyber event if not patched," said SCADAfence CEO Elad Ben-Meir. "SCADAfence reiterates its commitment to increasing the security posture of the world's critical infrastructure and OT networks. These findings are only the latest contributions of our team of OT research experts, who continuously pentest the most commonly deployed devices and work with tier-one organizations to maintain OT network security."

The Alerton Ascent BMS system dates back to 2014, and comprises several hardware components including the Ascent Control Module,and the Ascent Compass software which is used as the Human/Machine Interface (HMI). Alerton has been a subsidiary of The Honeywell Corporation since 2005.

Any facility that has deployed the Ascent BMS system could be vulnerable to attack by threat actors exploiting these weaknesses.

There are an unlimited number of potentially dangerous scenarios that could be caused by threat actors exploiting these vulnerabilities.

Some possibilities include -

    --  9/11 style hijackers attack a building's BMS systems and cause
        catastrophic damage. No airplane needed.
    --  An IVF clinic that stores human embryos at sub-zero temperatures could
        experience an undetected rise in temperatures that would result in the
        destruction of the embryos.
    --  Pharmaceutical production facilities that require specific temperatures
        for manufacturing life-saving medications or vaccinations could have to
        throw out millions of doses.
    --  Server farms that house critical hardware could be caused to overheat,
        leading to the destruction of vital data.
    --  Any manufacturing facility that employs chemicals could have their
        ventilation system remotely shut down, leading to physical injury to
        workers.
    --  Food production facilities that require consistent temperatures for food
        safety, could unknowingly ship tainted products.
    --  There were two groups of major vulnerabilities discovered by
        SCADAfence's protocol research team that led NIST to issue the new CVEs.

The first allows unauthenticated configuration changes to be made by a remote user. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of the other users, altering the controller's function capabilities.

The second allows unauthenticated programming writes to be made by remote users. This enables code to be stored on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.

Full details on the newly issued CVEs can be found on the official NIST website.

https://nvd.nist.gov/vuln/detail/CVE-2022-30242

https://nvd.nist.gov/vuln/detail/CVE-2022-30243

https://nvd.nist.gov/vuln/detail/CVE-2022-30244

https://nvd.nist.gov/vuln/detail/CVE-2022-30245

To address these weaknesses and keep their organization safe, SCADAfence advises anyone who has deployed Alerton's Ascent BMS to make sure their OT network is isolated, BAS firewalls are configured properly, ACM baseline configurations are created and maintained, BAS protocols are disabled on external network segments and that Ethernet is disabled on all ports that do not require BACnet/Ethernet. Additionally, it is important to implement a network monitoring tool to observe any access via the BACnet protocol or attempts to access devices and change any configurations.

About SCADAfence

SCADAfence is the global technology leader in OT & IoT cyber security. The SCADAfence platform enables organizations with complex OT networks to embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. The non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and governance with minimal false-positives. SCADAfence delivers proactive security and visibility to some of the world's most complex OT networks, including the largest manufacturing facility in Europe. SCADAfence enables organizations in manufacturing, building management and critical infrastructure industries to operate securely, reliably and efficiently. To learn more, visit our website, check out our blog, or follow us on LinkedIn.

Contact:
Joan Weiner-Levin
joan.levin@scadafence.com

View original content:https://www.prnewswire.com/news-releases/scadafence-discovers-first-ever-vulnerabilities-in-widely-deployed-bms-devices-301604282.html

SOURCE SCADAfence



Email This News Email | Submit To Slashdot Slashdot | Submit To Digg.com Digg | Submit To del.icio.us Del.icio.us | News Feeds Feeds

RELATED NEWS ARTICLES
Nav Energy Toolbase Launches Energy Storage Partnership with Sungrow to Support PowerStack 255CS and PowerTitan 2.0 | Jan 22, 2026
Nav Einride and IonQ Partnership Uses Quantum Computing to Optimize the Logistics of Electric and Autonomous Freight | Jan 22, 2026
Nav RS now offers Phoenix Contact's pioneering new NearFi technology | Jan 22, 2026
Nav SCAILIUM Debuts "AI Production Layer" to Overcome GPU Starvation and Slash AI Energy Waste | Jan 22, 2026
Nav MetaOptics to Showcase Five Breakthrough Metalens-Powered Products at CES 2026 | Jan 22, 2026
Nav No Assembly Required: Barrett Distribution Centers Powers Maxwood Furniture's West Coast DTC Expansion | Jan 22, 2026
Nav Quantum Art Raises $100 Million in Series A Round to Drive Scalable, Multi-Core Quantum Computing | Jan 22, 2026
Nav TESSAN to Redefine Global Mobility at CES 2026 with '100 Travelers' Initiative and Flagship Voyager 205 | Jan 22, 2026
Nav Hesai Recognized as the Only Lidar Company on Morgan Stanley's "Humanoid Tech 25" of Global Robotics Leaders | Jan 22, 2026
Nav 1inch Named Exclusive Swap Provider at Launch for Ledger Multisig | Jan 22, 2026
NEWS SEARCH

FEATURED NEWS | POPULAR NEWS
Submit News | View More News View More News