Novakon human-machine interface (HMI) devices suffer from multiple severe, unpatched vulnerabilities that allow unauthenticated remote attackers to gain root access, execute arbitrary code, traverse directories, and bypass weak authentication. These flaws stem from buffer overflows, excess permissions in key processes, and the absence of robust protection mechanisms. As Novakon has not issued patches or acknowledged the findings, deployed devices remain at risk across critical infrastructure settings.

Because HMIs serve as the gateway between operators and control systems (PLCs, plant networks, etc.), their compromise could allow attackers to interfere with industrial operations, hijack control logic, or disrupt service availability. The lack of vendor response intensifies the threat, forcing asset owners to adopt mitigations such as isolating devices from broader networks, enforcing strict access controls, and closely monitoring for anomalous behavior until official fixes are released.

‍

Source: https://www.securityweek.com/unpatched-vulnerabilities-expose-novakon-hmis-to-remote-hacking/