CVE-2014-0780

What Is InduSoft Web Studio?

InduSoft Web Studio (now AVEVA InduSoft Web Studio) is a widely deployed SCADA (Supervisory Control and Data Acquisition) and HMI (Human-Machine Interface) software platform used in industrial control systems across manufacturing, oil and gas, water/wastewater treatment, building automation, and utility sectors. It enables operators to monitor and control industrial processes via web-based interfaces served from plant floor computers.

A key feature is NTWebServer — InduSoft's embedded HTTP server that hosts the HMI web interface, allowing operators and engineers to access process data and controls remotely. ICS/SCADA software like InduSoft is a high-value target because compromising it can affect physical industrial processes — not merely data.

Overview

CVE-2014-0780 is a critical directory traversal vulnerability in InduSoft Web Studio's embedded NTWebServer component. An unauthenticated remote attacker can send a crafted HTTP GET request containing path traversal sequences (../) to read arbitrary files on the server. Critically, InduSoft APP project files store administrator usernames and passwords — reading these files with no authentication provides credentials for full administrative control over the SCADA system. An attacker can then use those credentials to modify process logic, disrupt operations, or use the HMI as a pivot point into the industrial network.

Affected Versions

Technical Details

Root Cause: Unsanitized Path in NTWebServer HTTP Handler

InduSoft's NTWebServer handles HTTP GET requests to serve HMI content. The request handler did not sanitize ../ sequences (or URL-encoded equivalents like %2e%2e%2f) in the request path, allowing attackers to traverse outside the intended web root directory.

Example malicious request:

GET /../../../../Program%20Files/InduSoft%20Web%20Studio%20v7.1/project.app HTTP/1.1
Host: target-hmi:80

Why the credential theft is especially dangerous:

InduSoft APP project files (*.app) are XML-based project configuration files that include username and password fields for the InduSoft application security model. These passwords, while potentially obfuscated, can often be recovered in cleartext or in a weakly encoded form. Once an attacker has the administrator credentials:

1. Log in to the InduSoft web interface as administrator
2. Modify alarm setpoints, process parameters, or control logic
3. Disable safety interlocks or alarm notifications
4. Access connected PLCs and field devices

Attack Characteristics

Discovery

Reported to ICS-CERT by security researchers. ICS-CERT coordinated disclosure with InduSoft (then a subsidiary of Schneider Electric) and published Advisory ICSA-14-079-01 in April 2014.

Exploitation Context

• ICS/SCADA targeting: This class of vulnerability is disproportionately dangerous in operational technology (OT) environments because exploitation can affect physical processes — not just data or systems
• Credential theft → full access: The path from directory traversal to full SCADA administrative control is short and requires no additional vulnerabilities
• Network exposure: ICS systems are increasingly accessible over corporate networks and, in some cases, directly internet-exposed — making network-based exploitation viable without physical access
• Nation-state relevance: State-sponsored APT groups targeting critical infrastructure (water, energy, manufacturing) have exploited ICS vulnerabilities in this class (e.g., Dragonfly/Energetic Bear campaigns)
• CISA KEV (2022): Added to KEV in April 2022, reflecting confirmed active exploitation

Remediation

1. Update InduSoft Web Studio to v7.1 SP2 Patch 4 or v8.0+ per ICS-CERT advisory ICSA-14-079-01 and AVEVA (Schneider) guidance.

2. Network segmentation: Restrict NTWebServer access to authorized IP addresses only via firewall rules. The HMI web interface should never be directly internet-accessible.

3. Disable NTWebServer if remote web access is not required — disable the embedded web server entirely and use only the native InduSoft client.

4. Change SCADA credentials immediately after patching — assume any credentials stored in APP project files on previously vulnerable systems are compromised.

5. ICS network isolation: Implement DMZ architecture for industrial networks; use jump servers/historian firewalls to control access between corporate and operational networks.

6. Monitor for traversal attempts: Inspect NTWebServer HTTP logs for ../ or %2e%2e sequences in request paths.