Infosec researchers at Tenable Security have unearthed a remote code execution flaw in critical infrastructure software made by energy management multinational Schneider Electric.
The vulnerability could have allowed miscreants to control underlying critical infrastructure systems, researchers said.
The apps affected – used widely in oil and gas, water and other critical infrastructure facilities – were InduSoft Web Studio and InTouch Machine Edition.
If exploited, attackers would have been able to move laterally through the network, exposing additional systems to attack. The worst-case scenario would have been the crippling of power plant operations.
InduSoft is an automation tool for developing human-machine interfaces (HMIs) and SCADA systems and InTouch is used to develop apps that connect automation systems and interfaces for browsers, smartphones and tablets.
Both contained a buffer overflow vuln that allowed an attacker to mount a denial of service attack or potentially execute arbitrary code, said Tenable.
Tom Parsons, head of Tenable in Ireland, said there were no known instances of the flaws being exploited, adding the firm worked with Schneider over three months to resolve the issue. Schneider has since released patches for both affected systems (PDF).
"The recent statement from Homeland Security and NCSC points towards hostile states having an interest in critical infrastructure," he said.
Last month the UK's National Cyber Security Centre (NCSC) and the US Federal Bureau of Investigation warned that Russian state-sponsored hackers are targeting network infrastructure. The joint Technical Alert described a global assault on routers, switches, firewalls and network intrusion detection hardware.
The US Department for Homeland Security and FBI have also warned that Russia is hacking into American nuclear facilities and other infrastructure.
Meanwhile, the UK government is waving a stick at infrastructure firms, warning they could face fines of up to £17m if their cybersecurity is found to be inadequate.
Dave Cole, chief product officer at Tenable, said the flaw "is particularly concerning because of the potential access it grants cybercriminals looking to do serious damage to mission-critical systems that quite literally power our communities".
The Register has contacted Schneider for further comment.