High risk vulnerability discovered in Sauter CASE Suite building automation software

Applied Risk researcher, Gjoko Krstic, has identified a security vulnerability in the Sauter CASE Suite, a software package used to handle building automation projects with energy-efficient strategies and methods.

The Sauter CASE Suite is a building management software that is used for project engineering and control functions of building management systems within both office and industrial environments. The application suffers from an XML External Entity (XXE) vulnerability, which can be used to cause a Denial of Service (DoS) condition via a specially crafted XML file.

Vulnerability impact

The impact of this vulnerability is that an unauthenticated user can craft a malicious XML data file that allows them to access sensitive information or configuration files, potentially impacting the availability of the affected application.

This vulnerability is classified as high risk and has therefore been given a CVSS (Common Vulnerability Scoring System) of 8.6.

What can you do?

Applied Risk has worked alongside Sauter in the responsible disclosure process, with the vendor releasing a patch. It is recommended to organisations utilising the SAUTER CASE Suite building automation software to update to the latest version.