Triangle MicroWorks SCADA Data Gateway Event Log Directory Traversal Arbitrary File Creation Vulnerability

The Directory Traversal vulnerability in SCADA Data Gateway allows an attacker to bypass authentication and create files anywhere on the system the process has write access. This could involve overwriting critical configuration files, injecting malicious code, or creating backdoor accounts. Successful exploitation could lead to complete system compromise, data exfiltration, and disruption of industrial control processes. The ability to bypass authentication significantly increases the risk, as it removes a key security barrier. While the description mentions the need for authentication, the bypass capability makes this a serious concern.

Organizations utilizing Triangle MicroWorks SCADA Data Gateway in industrial control systems are at risk. This includes critical infrastructure sectors such as energy, water, and manufacturing. Systems with legacy configurations or those lacking robust access controls are particularly vulnerable. Shared hosting environments where multiple users share the same SCADA Data Gateway instance also face increased risk.

• linux / server: Monitor system logs (journalctl) for unusual file creation events in unexpected directories. Use auditd to track file access attempts.

auditctl -w /path/to/sensitive/directory -p wa -k directory_traversal

• generic web: Use curl to probe for directory traversal attempts.

curl 'http://scada-gateway/../../../../etc/passwd'

• windows / supply-chain: Monitor PowerShell logs for suspicious commands involving file creation or modification. Check Autoruns for unusual entries that could be related to the vulnerability.

1. 2024-05-03Disclosure

   disclosure

1. Reserviert2023-08-02
2. Veröffentlicht2024-05-03
3. Geändert2024-08-02
4. EPSS aktualisiert2026-04-02

The primary mitigation is to upgrade to a patched version of the SCADA Data Gateway as soon as it becomes available from Triangle MicroWorks. Until a patch is applied, implement temporary mitigations. Configure a Web Application Firewall (WAF) to block requests containing suspicious path traversal sequences (e.g., '../'). Implement strict file access controls, limiting the write permissions of the SCADA Data Gateway process to the absolute minimum required. Regularly review and audit file system access logs for any unauthorized file creation attempts. Consider implementing intrusion detection system (IDS) rules to detect unusual file creation activity.