Still Haunted by Ghost Signal? A Look Back at CVE-2024-53150

August 12, 2025
Scott Wu

Last year, a critical vulnerability in the InduCore SCADA platform, nicknamed “Ghost Signal,” was disclosed. Tracked as CVE-2024-53150, this flaw allows unauthenticated attackers to steal sensitive files and scan internal networks. A full year after its discovery, data shows that numerous industrial systems remain unpatched. This post revisits this critical vulnerability.

TL;DR:

  • What: An XML External Entity (XXE) injection vulnerability in InduCore SCADA’s file import feature.
  • Affected Software: InduCore SCADA versions 7.1.0 through 8.3.2.
  • Impact: An unauthenticated attacker can read sensitive files from the server and perform network scanning on the internal Operational Technology (OT) network.
  • Action: Many systems are still vulnerable. Update to version 8.3.3 or newer immediately.

What is InduCore SCADA?

InduCore SCADA is a web-based Human-Machine Interface (HMI) platform used across various industries, including manufacturing, energy, and water treatment. It provides operators with a graphical interface to monitor and control industrial processes and machinery like PLCs and RTUs.

The “Ghost Signal” Vulnerability Explained (CVE-2024-53150)

The vulnerability is a classic XML External Entity (XXE) injection. It exists in the function that processes uploaded project files (.icproj), which are XML-based. The XML parser was misconfigured to allow the processing of “external entities”—a feature that lets an XML document include data from external files or URLs.

The Attack Flow:

  1. An attacker crafts a malicious .icproj project file. This file contains a special XML payload that defines an external entity pointing to a local file on the server (e.g., C:\windows\win.ini) or an internal network resource.
  2. The attacker uploads this file to the SCADA server’s unauthenticated project import endpoint.
  3. The server’s XML parser opens the file and, due to the XXE flaw, attempts to resolve the external entity. It reads the contents of the specified local file or network resource.
  4. The attacker can then use other XML features to embed the content of that file into an error message, which is sent back to the attacker.

Here is an example of a malicious XXE payload within a project file:

XML

<?xml version="1.0"?>
<!DOCTYPE project [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<project>
  <name>&xxe;</name> </project>

When the server processes the <name> tag, it replaces the &xxe; variable with the contents of the /etc/passwd file, exfiltrating it to the attacker.

Impact and Remediation

In an Industrial Control System (ICS) environment, the impact of information disclosure is extremely high. By exploiting this vulnerability, an attacker can:

  • Map the OT Network: Discover the IP addresses and roles of critical internal systems like PLCs, historians, and engineering workstations.
  • Steal Credentials and Configurations: Read configuration files containing passwords or keys for other industrial equipment.
  • Gather Intelligence for a Future Attack: Use the stolen information to plan a more sophisticated attack aimed at disrupting or sabotaging the physical industrial process.

Are you still affected? You are vulnerable if your facility uses InduCore SCADA versions 7.1.0 through 8.3.2. The long patching cycles and operational uptime requirements in industrial environments mean many systems that were vulnerable a year ago remain so today.

How to Fix It: The patch for this vulnerability was released in late 2024. The fix involves configuring the XML parser to disable external entity resolution entirely.

  1. Schedule and Apply the Patch: The only way to fix the flaw is to update your InduCore SCADA software to version 8.3.3 or newer. This must be scheduled during a planned maintenance window.
  2. Network Segmentation: Ensure the SCADA HMI server is on a properly segmented network, with strict firewall rules limiting its ability to initiate connections to the broader corporate network or the internet. This can mitigate the impact of SSRF-style XXE attacks.
  3. Monitor Network Traffic: Look for unusual outbound connections originating from your HMI server, which could indicate an attempted or successful exploit.

Resources and Citations

  • Official ICS-CERT Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-301-01
  • NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-53150
  • Discoverer’s Technical Blog: A detailed analysis was published by the ICS security firm Dragos: https://dragos.com/blog/examining-ghost-signal-xxe-in-inducore-scada/
  • General