Water Tank Management System Used Worldwide Has Unpatched Security Hole
The TMS300 CS water tank management system produced by Irish building materials company Kingspan is vulnerable to attack, according to security researchers. The management system is used in critical infrastructure locations across the world and enables the user to view tank level information via a screen, web server, application, online portal, or email. In addition, the system features wired and wireless multi-tank level measurements as well as alarms and network connectivity. Despite the detected vulnerability, which has been described as critical, the vendor does not appear to want to patch the bug.
The CISA published an advisory earlier this week stating that the vulnerability could allow a remote hackers to exploit the flaw. The critical vulnerability is the product of the lack of properly implemented access control rules, ultimately allowing for an unauthenticated user to view or modify device settings. The vulnerability could be exploited by an attacker to threaten critical infrastructure by tampering with tank details, alarm thresholds, and sensors. Therefore, the vulnerability could have serious implications for organizations that are targeted.