This morning the DHS ICS-CERT published a new advisory for a directory traversal vulnerability in the ICONICS WebHMI. The vulnerability was reported by Maxim Rupp. A new version of the HMI is available, but there is no indication that Maxim was provided the opportunity to verify the efficacy of the fix. ICONICS has also recommended that the vulnerable version of WebHMI not be exposed directly to the Internet.
ICS-CERT reports that a relatively inexperienced attacker could remotely exploit this vulnerability to download arbitrary files from the target system.