A new security report has revealed serious, unpatched vulnerabilities in industrial control system (ICS) products manufactured by Novakon, a Taiwan-based subsidiary of iBASE Technology. Security researchers at CyberDanube identified five categories of flaws affecting Novakon’s Human-Machine Interfaces (HMIs), including an unauthenticated buffer overflow that allows remote code execution with root privileges. Other weaknesses include directory traversal, weak authentication, excessive process privileges, and insufficient system protections.
What makes this situation particularly alarming is that these flaws can be exploited remotely and without authentication—meaning attackers don’t need credentials or physical access to compromise the devices. Once exploited, adversaries could disrupt production, manipulate industrial processes, disable safety systems, or use the devices as stepping stones for further attacks inside critical environments.
The risks are compounded by Novakon’s lack of response. Despite repeated disclosure attempts, the company has ignored most communications from CyberDanube and has released no security patches. This leaves organizations operating these devices with no vendor-supported mitigation, effectively shifting the full burden of protection to asset owners.
With an estimated 40,000 Novakon HMIs deployed globally in data centers and critical infrastructure, the potential impact is severe. Researchers stress that asset owners must immediately assess their exposure, ensure Novakon devices are not internet-facing, implement compensating network controls, and develop incident response playbooks.
This episode examines the vulnerabilities in detail, the risks they pose to industrial environments, and what organizations can do in the absence of vendor support.
#Novakon #ICS #CriticalInfrastructure #CyberSecurity #Vulnerabilities #HMI #iBASE #OTSecurity #CyberDanube #RemoteCodeExecution #DataCenters
