CVE-2021-33025: 
xArrow vulnerability analysis and mitigation

CVE-2021-33025 affects xArrow SCADA versions 7.2 and prior. This vulnerability is related to improper input validation where the system permits unvalidated registry keys to be run with application-level privileges. The vulnerability was reported to CISA by security researchers Sharon Brizinov from Claroty and Michael Heinzl (CISA Advisory).

The vulnerability has been classified as improper input validation (CWE-20). It received a CVSS v3.1 base score of 5.6 MEDIUM with the vector string AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N, indicating local access is required with low attack complexity. The vulnerability requires user interaction and low privileges to exploit (CISA Advisory, NVD).

Successful exploitation of this vulnerability could allow an attacker to execute registry keys with application-level privileges, potentially leading to unauthorized access and system compromise. The vulnerability affects critical infrastructure sectors including Critical Manufacturing, Energy, and Water and Wastewater Systems (CISA Advisory).

CISA recommends users implement several defensive measures including: disabling web server implementation (disabled by default), minimizing network exposure for control system devices, locating control system networks behind firewalls, isolating them from business networks, and using secure methods like VPNs when remote access is required. The vendor xArrow has not responded to requests to work with CISA to mitigate these vulnerabilities (CISA Advisory).