Eaton HMiSoft VU3 (ICSA-20-105-01) – Product Used in the Energy Sector

CISA has published an advisory on stack-based buffer overflow and out-of-bounds read vulnerabilities in Eaton HMiSoft VU3. Versions 3.00.23 and prior are affected. Successful exploitation of these vulnerabilities could crash the device being accessed and may allow remote code execution or information disclosure. Eaton ceased manufacturing the HMiVU on December 31, 2018, and marked the HMiVU software as end of life. As a result, Eaton no longer provides technical support, security fixes, or other fixes for the HMiVU software. To better serve users and provide ongoing replacement solutions, HMiVU was replaced with the XV100 and XV300 lines of operator interface products. It is strongly recommended HMiVU users contact Eaton for technical support and migration assistance to the XV solution. CISA also recommends a series of measures to mitigate the vulnerabilities. Read the advisory at CISA.