Cyber Resilience

CVE-2014-0780

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 25 April 2014

Published
25 April 2014
Modified
22 April 2026
KEV Added
15 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8925 99.6th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-0780 is a critical-severity Path Traversal (CWE-22) vulnerability in Indusoft Web Studio. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2014-0780 is a directory traversal vulnerability (CWE-22) affecting the NTWebServer component in InduSoft Web Studio version 7.1 prior to SP2 Patch 4. The flaw permits remote attackers to access administrative passwords stored in APP files through unspecified web requests, which can then be leveraged to execute arbitrary code. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction.

Remote unauthenticated attackers can exploit the issue over the network to read sensitive credential files and subsequently run arbitrary code on the affected system. The vulnerability is exposed via the web server interface, enabling direct compromise of the industrial control software environment.

ICS-CERT advisory ICSA-14-107-02 and the vendor patch at the InduSoft download link recommend upgrading to InduSoft Web Studio 7.1 SP2 Patch 4 to address the directory traversal flaw. The referenced exploit-db entry demonstrates a working proof-of-concept for the password disclosure vector.

EU & UK References

Vulnerability details

Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.

CWE(s)
KEV Date Added
15 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

indusoft
web studio
7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates web request inputs to reject directory traversal sequences that would otherwise allow unauthorized reads of APP files containing passwords.

prevent

Enforces access control policies on NTWebServer resources so that unauthenticated remote requests cannot traverse directories and retrieve administrative credentials.

prevent

Applies boundary protection (e.g., request filtering or WAF rules) at the web server interface to block the network-accessible traversal vectors described in the CVE.

References