USA DHS and ICS-Cert (Industrial Control Systems) have issued another advisory for vulnerable control systems that could be taken over by rogue attackers. These systems have web access points, web servers at port 80, that an attacker can send a carefully crafted request to and gain access and gain control of the system being controlled.
This warning applies to a popular industrial control system, Tridium Niagara AX, which has some default settings that allow the attack to happen and the attackers to get the credential storage and then take control of the system. These problems include not having proper security applied to some directories, poor encryption, session cookie vulnerabilities, and predictable session ids all allowing remote attack.
There are exploits available in the wild, so if you have or know someone who has these systems they should head to tridium.com check that their system needs patching and patch, properly configure their systems, and until then shut down the web interface.