CVE-2014-0780
Published: 25 April 2014
Summary
CVE-2014-0780 is a critical-severity Path Traversal (CWE-22) vulnerability in Indusoft Web Studio. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2014-0780 is a directory traversal vulnerability (CWE-22) affecting the NTWebServer component in InduSoft Web Studio version 7.1 prior to SP2 Patch 4. The flaw permits remote attackers to access administrative passwords stored in APP files through unspecified web requests, which can then be leveraged to execute arbitrary code. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction.
Remote unauthenticated attackers can exploit the issue over the network to read sensitive credential files and subsequently run arbitrary code on the affected system. The vulnerability is exposed via the web server interface, enabling direct compromise of the industrial control software environment.
ICS-CERT advisory ICSA-14-107-02 and the vendor patch at the InduSoft download link recommend upgrading to InduSoft Web Studio 7.1 SP2 Patch 4 to address the directory traversal flaw. The referenced exploit-db entry demonstrates a working proof-of-concept for the password disclosure vector.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-0811
Vulnerability details
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.
- CWE(s)
- KEV Date Added
- 15 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates web request inputs to reject directory traversal sequences that would otherwise allow unauthorized reads of APP files containing passwords.
Enforces access control policies on NTWebServer resources so that unauthenticated remote requests cannot traverse directories and retrieve administrative credentials.
Applies boundary protection (e.g., request filtering or WAF rules) at the web server interface to block the network-accessible traversal vectors described in the CVE.