Unpatched Vulnerabilities Expose Novakon HMIs to Remote Hacking

Unpatched Vulnerabilities Expose Novakon HMIs to Remote Hacking

Posted on By CWS

Among the industrial management system (ICS) merchandise made by Taiwan-based Novakon are affected by critical vulnerabilities, and the seller doesn’t seem to have launched any patches. 

A subsidiary of iBASE Know-how, Novakon designs and manufactures human-machine interfaces (HMIs), industrial PCs, and IIoT options. The corporate serves 18 nations throughout North America, Europe and Asia. Advertising and marketing supplies present that 40,000 models of Novakon’s 7” HMIs have been deployed in world information facilities. 

Researchers at CyberDanube, an IT/OT penetration testing and safety consulting firm, found that Novakon’s HMIs are affected by 5 sorts of vulnerabilities.

In line with an advisory printed by CyberDanube, the HMIs are affected by an unauthenticated buffer overflow permitting distant code execution with root privileges, a listing traversal that exposes information, and a few weak authentication points that enable entry to the system and functions.

The safety agency’s researchers additionally found lacking safety mechanisms and unnecessarily excessive permissions for sure processes. 

Sebastian Dietz, safety researcher at CyberDanube, informed SecurityWeek that the vulnerabilities will be exploited remotely with out authentication.

“An unauthenticated attacker may leverage these vulnerabilities to execute excessive privilege code on these gadgets,” Dietz defined. “As HMI gadgets are used to work together with machines and methods (eg, PLCs, manufacturing traces) in essential infrastructure, gaining arbitrary code execution may have extreme penalties.”

Dietz famous that it’s tough to find out what number of gadgets could also be weak to assaults, “as they’re usually deployed in essential infrastructure and (hopefully) indirectly uncovered by way of the web”.Commercial. Scroll to proceed studying.

CyberDanube stated Novakon has been despatched a report describing its findings, however the vendor didn’t present any suggestions and ignored a overwhelming majority of its communication makes an attempt. 

Novakon has not responded to SecurityWeek’s request for remark.

Associated: DELMIA Manufacturing facility Software program Vulnerability Exploited in Assaults

Associated: ICS Patch Tuesday: Rockwell Automation Leads With 8 Safety Advisories

Associated: Important Flaws Patched in Rockwell FactoryTalk, Micro800, ControlLogix Merchandise

Security Week News Tags:, , , , , ,

Related Posts

Half of 2025’s Zero-Day Exploits Target Businesses: Google Half of 2025’s Zero-Day Exploits Target Businesses: Google Security Week News
Asus DriverHub Vulnerabilities Expose Users to Remote Code Execution Attacks Asus DriverHub Vulnerabilities Expose Users to Remote Code Execution Attacks Security Week News
Google Patches Gemini AI Hacks Involving Poisoned Logs, Search Results Google Patches Gemini AI Hacks Involving Poisoned Logs, Search Results Security Week News
Android’s December 2025 Updates Patch Two Zero-Days Android’s December 2025 Updates Patch Two Zero-Days Security Week News
A Massive Telecom Threat Was Stopped Right As World Leaders Gathered at UN Headquarters in New York A Massive Telecom Threat Was Stopped Right As World Leaders Gathered at UN Headquarters in New York Security Week News
Ramnit Malware Infections Spike in OT as Evidence Suggests ICS Shift Ramnit Malware Infections Spike in OT as Evidence Suggests ICS Shift Security Week News