Today the DHS ICS-CERT published an advisory describing a vulnerability in the Invensys Wonderware Win-XML Exporter. The improper input validation vulnerability was reported by Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team in a coordinated disclosure. This advisory was originally released on the US-CERT Secure Portal on March 8th, 2013.
ICS-CERT reports that an attacker with a moderate skill set could exploit this vulnerability to conduct a DoS attack or gain access to system information. The advisory states that this vulnerability is not remotely exploitable, but it looks like a social engineering attack could cause a system user to access a specially crafted XML file to execute the attack.
Invensys has developed an update for the Win-XML Exporter that mitigates the vulnerability and it is available on the company download site. This has been validated by the original researchers.