Full Report
New research from Claroty reveals alarming security risks across building management systems (BMS) and building automation systems (BAS),... The post Claroty detects widespread cyber risks in building management systems, including ransomware-linked KEVs appeared first on Industrial Cyber.
Analysis Summary
**Note:** The provided context summarizes a report by Claroty focusing on the *prevalence* of vulnerabilities and general security weaknesses in Building Management Systems (BMS) and Building Automation Systems (BAS). It does *not* provide specific CVE identifiers, detailed technical descriptions, or specific patch versions for individual flaws. Therefore, the CVE Details, Vulnerability Description, and Patch sections will reflect the high-level findings regarding KEVs and unmanaged OS versions, as specific data is missing.
# Vulnerability: Widespread Known Exploited Vulnerabilities (KEVs) and Insecure Configurations in BMS/BAS Environments
## CVE Details
- CVE ID: Multiple KEVs (Specific IDs not listed in context)
- CVSS Score: Not specified (Implied High due to KEV link to ransomware)
- CWE: Information disclosure, weak authentication, improper access control (Inferred from findings)
## Affected Systems
- Products: Building Management Systems (BMS) and Building Automation Systems (BAS) devices.
- Versions: Unspecified legacy versions of BMS software/firmware; Unmanaged Windows versions (XP, 7, 8, 10, Server 2003).
- Configurations: Devices insecurely connected to the internet; systems relying on weak authentication/access controls.
## Vulnerability Description
The primary risk identified stems from the widespread deployment of devices impacted by Known Exploited Vulnerabilities (KEVs), many of which are explicitly linked to historical ransomware attacks. Furthermore, many BMS environments rely on unsupported or legacy Windows operating systems that no longer receive security patches from Microsoft, rendering any existing KEVs as perpetual "forever-day" vulnerabilities. Other critical risk factors include insecure internet exposure, weak authentication mechanisms (allowing brute-force attacks), excessive deployment of unmanaged remote access tools, and misconfigurations leading to open ports and unused services.
## Exploitation
- Status: Confirmed Exploited in the wild (KEVs linked to ransomware attacks)
- Complexity: Low to Medium (Brute-force attacks via insecure internet exposure are noted)
- Attack Vector: Network (Remote exploitation via internet exposure is a major vector)
## Impact
- Confidentiality: High (Potential for data exfiltration or system information theft)
- Integrity: High (System manipulation, malware deployment due to KEVs/ransomware linkage)
- Availability: High (Risk to business continuity and physical infrastructure disruption)
## Remediation
### Patches
- **Vendor-Specific Patches:** Organizations must urgently apply vendor-provided security updates for all supported BMS/BAS components where KEVs exist. (Specific CVE patches are not detailed in the source text.)
### Workarounds
1. **Network Segmentation:** Strictly segment BMS/BAS networks away from the enterprise network to limit lateral movement potential.
2. **Control Compensating Controls:** Implement compensating controls for devices running unmanaged operating systems (Windows XP/7/etc.) that cannot be patched.
3. **Firewall Audit:** Perform a thorough audit of firewall rules to close open ports and disable unused services exposing BMS devices externally.
4. **Access Control Hardening:** Implement strong authentication, ideally MFA, on all vendor and internal remote access technologies.
## Detection
- **Indicators of Compromise:** Look for indicators related to known ransomware attack patterns leveraging system vulnerabilities within OT/BMS traffic.
- **Detection Methods and Tools:** Utilize network auditing tools (like Shodan for external exposure checks) to identify internet-facing BMS devices. Monitor for brute-force attempts against BMS interfaces and excessive use of remote access tools. Implement enhanced logging on firewalls and network gateways leading to OT/BMS zones.
## References
- Claroty Team82 Report: State of CPS Security 2025: Building Management System Exposures
- Vendor advisories for specific BMS products referencing KEV patching.
- [Defanged Link 1: industrialcyber co/ransomware/cyfirma-flags-intensifying-ransomware-risk-to-healthcare-sector-led-by-us-for-profit-firms/]
- [Defanged Link 2: industrialcyber co/industrial-cyber-attacks/intensifying-need-to-strengthen-cybersecurity-controls-throughout-ot-lifecycle-mitigate-risks/]
- [Defanged Link 3: industrialcyber co/features/strengthening-ot-ics-incident-response-to-address-growing-complexity-of-cyber-threats-deliver-business-continuity/]