ICS Advisory

RLE Nova-Wind Turbine HMI Unsecure Credentials Vulnerability (Update A)

Last Revised
Alert Code


This updated advisory is a follow-up to the original advisory titled ICSA-15-162-01 RLE Nova‑Wind Turbine HMI Unsecure Credentials Vulnerability that was published June 11, 2015, on the NCCIC/ICS-CERT web site.

Independent researcher Maxim Rupp has identified an unsecure credential vulnerability in the RLE International GmbH Nova-Wind Turbine HMI. RLE has been unresponsive in validating or addressing the alleged vulnerability. ICS-CERT is releasing this advisory to warn and protect critical asset owners of this serious issue.

This vulnerability could be exploited remotely.


The following RLE International GmbH product is affected:

  • Nova-Wind Turbine HMI


--------- Begin Update A Part 1 of 2 --------

Plain text credentials can be used to gain unauthorized access to the device. This means that a malicious party could perform any action on the device including change or modify configurations and settings.

--------- End Update A Part 1 of 2 ----------

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation


RLE International GmbH is a Germany-based company that maintains offices in several countries around the world, including the US, UK, Sweden, and India.

The affected product, Nova-Wind Turbine HMI, is a human-machine interface (HMI) for a wind turbine. This product is used in the Energy Sector.



--------- Begin Update A Part 2 of 2 --------

PLAINTEXT STORAGE OF A PASSWORDCWE-256: Plaintext Storage of a Password, http://cwe.mitre.org/data/definitions/256.html, web site last accessed June 11, 2015.

The Nova-Wind Turbine HMI stores credentials in a plaintext file. If a malicious user recovers this file, then they could use the credentials to authenticate with the HMI and make changes to the configuration.

--------- End Update A Part 2 of 2 ----------

CVE-2015-3951NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3951, web site last accessed June 15, 2015. has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, web site last accessed June 11, 2015.



This vulnerability could be exploited remotely.


No known public exploits specifically target this vulnerability.


An attacker with a low skill would be able to exploit this vulnerability.


ICS-CERT has attempted on multiple occasions to contact the vendor regarding this serious flaw and have according to our vulnerability disclosure policy now produced this advisory. Insecure credential vulnerabilities create a serious risk to asset owners. ICS-CERT strongly recommends ensuring that the impacted product is not connected to the Internet or any network as this vulnerability is remotely exploitable.

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

This product is provided subject to this Notification and this Privacy & Use policy.


RLE Nova-Wind