Skip to main content
(844) 422-7000

Hitachi Energy Asset Suite 9

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Asset Suite 9
Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to use an authentication anomaly to successfully invoke the REST service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s Asset Suite, an enterprise asset management tool, are affected:

Asset Suite: Versions prior to 9.6.3.13
Asset Suite: Versions prior to 9.6.4.1

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHENTICATION CWE-287

REST service authentication anomaly with “valid username/no password” credential combination for batch job processing may result in successful service invocation. The anomaly doesn’t exist with other credential combinations.

CVE-2024-2244 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-2244. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy recommends users apply the following mitigations where available:

Update to version 9.6.3.13 or 9.6.4.1

For more information, see Hitachi Energy advisory 8DBD000195.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

April 4, 2024: Initial Publication

Schweitzer Engineering Laboratories SEL

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schweitzer Engineering Laboratories
Equipment: SEL 700 series relays
Vulnerability: Inclusion of Undocumented Features

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to make modifications or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schweitzer Engineering Laboratories products are affected:

SEL-700BT Motor Bus Transfer Relay: R301-V0 up to but not including R301-V6
SEL-700BT Motor Bus Transfer Relay: R302-V0 up to but not including R302-V1
SEL-700G Generator Protection Relay: R100-V0 up to but not including R301-V6
SEL-700G Generator Protection Relay: R302-V0 up to but not including R302-V1
SEL-710-5 Motor Protection Relay: R100-V0 up to but not including R302-V1
SEL-751 Feeder Protection Relay: R101-V0 up to but not including R302-V3
SEL-751 Feeder Protection Relay: R400-V0 up to but not including R400-V2
SEL-787-2/-3/-4 Transformer Protection Relay: R100-V0 up to but not including R302-V1
SEL-787Z High-Impedance Differential Relay: R302-V0 up to but not including R302-V3

3.2 Vulnerability Overview

3.2.1 INCLUSION OF UNDOCUMENTED FEATURES CWE-1242

Inclusion of undocumented features vulnerability accessible when logged on with a privileged access level on the following Schweitzer Engineering Laboratories relays could allow the relay to behave unpredictably.

CVE-2024-2103 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-2103. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous researcher reported this vulnerability to CISA.

4. MITIGATIONS

Schweitzer Engineering Laboratories recommends updating to the latest versions:

SEL-700BT Motor Bus Transfer Relay: R301-V6
SEL-700BT Motor Bus Transfer Relay: R302-V1
SEL-700G Generator Protection Relay: R301-V6
SEL-700G Generator Protection Relay: R302-V1
SEL-710-5 Motor Protection Relay: R302-V0
SEL-751 Feeder Protection Relay: R302-V3
SEL-751 Feeder Protection Relay: R400-V2
SEL-787-2/-3/-4 Transformer Protection Relay: R302-V1
SEL-787Z High-Impedance Differential Relay: R302-V3

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPNs are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

April 4, 2024: Initial Publication

IOSIX IO-1020 Micro ELD

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.4
ATTENTION: Exploitable from adjacent network/Low attack complexity
Vendor: IOSiX
Equipment: IO-1020 Micro ELD
Vulnerabilities: Use of Default Credentials, Download of Code Without Integrity Check

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an adjacent attacker to take control of vehicle systems by connecting to and modifying the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following IOSiX products are affected:

IO-1020 Micro ELD: Versions prior to 360

3.2 Vulnerability Overview

3.2.1 USE OF DEFAULT CREDENTIALS CWE-1392

IO-1020 Micro ELD uses a default WIFI password that could allow an adjacent attacker to connect to the device.

CVE-2024-30210 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-30210. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).

3.2.2 USE OF DEFAULT CREDENTIALS CWE-1392

Web server uses a default password for authentication.

CVE-2024-31069 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-31069. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).

3.2.3 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494

IO-1020 Micro ELD downloads source code or an executable from an adjacent location and executes the code without sufficiently verifying the origin or integrity of the code.

CVE-2024-28878 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-28878. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Transportation
COUNTRIES/AREAS DEPLOYED: North America
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Jake Jepson of Colorado State University reported these vulnerabilities to CISA.

4. MITIGATIONS

IOSIX recommends users update to 360.

For further support, contact IOSiX.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

April 2, 2024: Initial Publication

Rockwell Automation FactoryTalk View ME

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk View ME
Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to the loss of view or control of the PanelView product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of FactoryTalk View ME, an HMI software application, are affected:

FactoryTalk View ME: prior to v14

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

A vulnerability exists in the affected product that allows a malicious user to restart the PanelView Plus 7 terminal remotely without security protections. If the vulnerability is exploited, it could lead to the loss of view or control of the PanelView product.

CVE-2024-21914 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2024-21914 has been assigned to this vulnerability. A CVSS v4 base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users update to the latest version:

FactoryTalk View ME: V11
FactoryTalk View ME: V12
FactoryTalk View ME: V13
FactoryTalk View ME: V14

Rockwell Automation recommends users of the affected software, who are not able to upgrade to one of the corrected versions, to apply security best practices, where possible.

For more information, see Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

March 26, 2024: Initial Publication

Rockwell Automation PowerFlex 527

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: PowerFlex 527
Vulnerabilities: Improper Input Validation, Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this these vulnerabilities could crash the device and require a manual restart to recover.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of PowerFlex 527 adjustable frequency AC drives are affected:

PowerFlex 527: Versions v2.001.x and later

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-120

A denial-of-service vulnerability exists in the PowerFlex 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.

CVE-2024-2425 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2024-2425. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 Improper Input Validation CWE-120

A denial-of-service vulnerability exists in the PowerFlex 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.

CVE-2024-2426 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2024-2426. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 Uncontrolled Resource Consumption CWE-400

A denial-of-service vulnerability exists in the PowerFlex 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVE-2024-2427 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2024-2427. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.

Implement network segmentation confirming the device is on an isolated network.
Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
Security Best Practices

For more information, visit Rockwell Automation’s security advisory page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

March 26, 2024: Initial Publication

Rockwell Automation Arena Simulation

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: low attack complexity
Vendor: Rockwell Automation
Equipment: Arena Simulation Software
Vulnerabilities: Out-of-bounds Write, Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Use After Free, Access of Uninitialized Pointer, Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could crash the application or allow an attacker to run harmful code on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of Arena Simulation Software are affected:

Arena Simulation Software: version 16.00

3.2 Vulnerability Overview

3.2.1 Out-of-bounds Write CWE-787

An arbitrary code execution vulnerability could let a malicious user insert unauthorized code into the software. This is done by writing beyond the designated memory area, which causes an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21912 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21912. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

A heap-based memory buffer overflow vulnerability could potentially allow a malicious user to insert unauthorized code into the software by overstepping the memory boundaries, which trigger an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21913 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21913. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119

A memory corruption vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21914 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21914. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 Use After Free CWE-416

A memory buffer vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory and triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21918 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21918. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Access of Uninitialized Pointer CWE-824

An uninitialized pointer could potentially allow a malicious user to insert unauthorized code to the software by leveraging the pointer after it is properly. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21919 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21919. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Read CWE-125

A memory buffer vulnerability might let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21920 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L).

A CVSS v4 score has been calculated for CVE-2024-21920. A base score of 4.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Healthcare and Public Health, Critical Manufacturing, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation recommends upgrading the affected product software to 16.20.03.

Rockwell Automation encourages users of the affected software to apply the risk mitigations, if possible:

Do not open untrusted files from unknown sources.
For information on how to mitigate security risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

For additional information, refer to Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

March 26, 2024: Initial Publication

Automation-Direct C-MORE EA9 HMI

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AutomationDirect
Equipment: C-MORE EA9 HMI
Vulnerabilities: Path Traversal, Stack-Based Buffer Overflow, Plaintext Storage of a Password

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit a remote device and inject malicious code on the panel.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of C-MORE EA9 HMI, a display system used for interfacing with controllers, are affected:

C-MORE EA9 HMI EA9-T6CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T7CL: Version 6.77 and prior
C-MORE EA9 HMI EA0-T7CL-R: Version 6.77 and prior
C-MORE EA9 HMI EA9-T8CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T10CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T10WCL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T12CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T15CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T15CL-R: Version 6.77 and prior
C-MORE EA9 HMI EA9-RHMI: Version 6.77 and prior
C-MORE EA9 HMI EA9-PGMSW: Version 6.77 and prior

3.2 Vulnerability Overview

3.2.1 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE-22

There is a function in Automation-Direct C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.

CVE-2024-25136 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2024-25136 has been assigned to this vulnerability. A CVSS v4 base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Stack-based Buffer Overflow CWE-121

In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.

CVE-2024-25137 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVE-2024-25137 has been assigned to this vulnerability. A CVSS v4 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.3 Plaintext Storage of a Password CWE-256

In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.

CVE-2024-25138 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVE-2024-25138 has been assigned to this vulnerability. A CVSS v4 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Tomer Goldschmidt of Claroty Research – Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

March 26, 2024: Initial Publication

Advantech WebAccess/SCADA

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Advantech
Equipment: WebAccess/SCADA
Vulnerability: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to read or modify a remote database.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Advantech WebAccess/SCADA, a bowser-based SCADA software, are affected:

WebAccess/SCADA: Version 9.1.5U

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89:

There is a SQL Injection vulnerability in Advantech’s WebAccess/SCDA software that allows an authenticated attacker to remotely inject SQL code on the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database.

CVE-2024-2453 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

CVE-2024-2453 has been assigned to this vulnerability. A CVSS v4 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: East Asia, Europe, United States
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Prześlij Komentarz and reported it to Advantech.

4. MITIGATIONS

Advantech recomends updating WebAccess/SCADA to version 9.1.6 or higher to mitigate this vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

March 21, 2024: Initial Publication

Franklin Fueling System EVO 550/5000

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Franklin Fueling System
Equipment: EVO 550, EVO 5000
Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Franklin Fueling System EVO 550 and EVO 5000, an automatic tank gauge (ATG), are affected:

EVO 550: All versions prior to 2.26.3.8963
EVO 5000: All versions prior to 2.26.3.8963

3.2 Vulnerability Overview

3.2.1 PATH TRAVERSAL: ‘/../FILEDIR’ CWE-25

Franklin Fueling System EVO 550 and EVO 5000 are vulnerable to a Path Traversal vulnerability that could allow an attacker to access sensitive files on the system.

CVE-2024-2442 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has been calculated for CVE-2024-2442. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA.

4. MITIGATIONS

Franklin Fueling Systems released the following to fix this vulnerability:

EVO 550: 2.26.3.8963
EVO 5000: 2.26.3.8963

For more information, contact Franklin Fueling System.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

March 19, 2024: Initial Publication

Softing edgeConnector

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.2
ATTENTION: Low attack complexity
Vendor: Softing
Equipment: edgeConnector
Vulnerabilities: Cleartext Transmission of Sensitive Information, Path Traversal

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could create conditions that may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Softing edgeConnector are affected:

Softing edgeConnector: Version 3.60
Softing edgeAggregator: Version 3.60

3.2 Vulnerability Overview

3.2.1 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE-22

The affected product is vulnerable to an absolute path traversal vulnerability, which may allow an attacker with admin privileges to write to a file or overwrite a file in the filesystem.

CVE-2023-38126 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.

CVE-2024-0860 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Pan ZhenPeng (@Peterpan0927) and Li JianTao (@CurseRed) of STAR Labs SG Pte. Ltd. (@starlabs_sg) working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA. Claroty Team82 working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA

4. MITIGATIONS

Update Softing edgeConnector and edgeAggregator to v3.70 or greater

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

March 14, 2024: Initial Publication