CVE-2024-0860 Overview
CVE-2024-0860 affects Softing edgeAggregator and edgeConnector industrial edge products. The vulnerability stems from cleartext transmission of sensitive information [CWE-319] across the network. An attacker who captures network traffic can read sensitive data and craft their own requests to the affected devices. The flaw is remotely exploitable without authentication or user interaction. Softing edge products bridge operational technology (OT) networks with information technology (IT) systems, making this issue relevant to industrial control system (ICS) environments. CISA published advisory ICSA-24-074-13 covering this vulnerability.
Critical Impact
Network-adjacent attackers can intercept credentials and session data, then replay or forge requests against Softing edge components deployed in ICS environments.
Affected Products
- Softing edgeAggregator version 3.60
- Softing edgeConnector version 3.60
- Industrial edge deployments using affected Softing components
Discovery Timeline
- 2024-03-14 - CVE-2024-0860 published to the National Vulnerability Database
- 2025-01-23 - Last updated in NVD database
Technical Details for CVE-2024-0860
Vulnerability Analysis
The vulnerability falls under [CWE-319], Cleartext Transmission of Sensitive Information. The affected Softing products transmit sensitive data over the network without applying confidentiality protections such as Transport Layer Security (TLS). Any attacker positioned to observe network traffic between clients and the edge product can read this data in plaintext.
The consequence extends beyond passive disclosure. Once an attacker recovers authentication tokens, configuration data, or protocol parameters from captured packets, they can construct valid requests against the device. This allows the attacker to interact with the edge product as if they were a legitimate client, depending on the recovered material.
The vulnerability is reachable from the network and requires no privileges or user interaction. The impact is scoped to information confidentiality, with integrity and availability not directly affected by the underlying flaw.
Root Cause
The root cause is the absence of encryption on a communication channel that carries sensitive material. Either the affected service does not negotiate encrypted transport, or it falls back to a cleartext mode that exposes credentials and request data. Industrial edge products often expose management and data interfaces that historically relied on plaintext protocols, and this product version did not enforce encrypted alternatives.
Attack Vector
Exploitation requires the attacker to observe traffic between a client and the affected Softing component. This is achievable through network tap access, ARP spoofing on a flat OT segment, compromise of an intermediate switch, or a malicious host on the same broadcast domain. After capturing packets, the attacker extracts credentials or session identifiers and replays or modifies them to issue arbitrary requests to the edge product.
No verified public proof-of-concept code is available for this vulnerability. Refer to the CISA ICS Advisory ICSA-24-074-13 for vendor-provided technical context.
Detection Methods for CVE-2024-0860
Indicators of Compromise
- Unexpected client connections to Softing edgeAggregator or edgeConnector management interfaces from unfamiliar hosts.
- Repeated authentication attempts or request patterns originating from non-engineering workstations on the OT network.
- Configuration changes on edge devices that do not correlate with authorized change records.
Detection Strategies
- Inspect network traffic for plaintext protocols carrying credentials to or from Softing edge components.
- Correlate authentication events on edge devices with known administrator workstations and flag deviations.
- Monitor for ARP table changes, rogue DHCP responses, and SPAN port activity that indicate traffic interception on OT segments.
Monitoring Recommendations
- Forward edge device logs and OT network flow records to a centralized analytics platform for retention and correlation.
- Establish baselines for normal client-to-edge communication and alert on new source IPs or protocol changes.
- Apply intrusion detection signatures for industrial protocols and known credential-harvesting patterns on OT segments.
How to Mitigate CVE-2024-0860
Immediate Actions Required
- Identify all Softing edgeAggregator and edgeConnector deployments and confirm running versions, prioritizing version 3.60.
- Apply the vendor-supplied update referenced in CISA ICS Advisory ICSA-24-074-13.
- Rotate any credentials, API tokens, or shared secrets that may have traversed cleartext channels prior to remediation.
Patch Information
Softing addressed CVE-2024-0860 in versions released after 3.60. Consult CISA ICS Advisory ICSA-24-074-13 for the specific fixed version and vendor download instructions for each affected product line.
Workarounds
- Segment Softing edge components into dedicated VLANs and restrict access to authorized engineering workstations using firewall rules.
- Tunnel cleartext management traffic through a VPN or IPsec channel until patches are applied across the environment.
- Disable unused network services on the affected devices to reduce the volume of sensitive data exposed over the wire.
- Enforce strict ARP inspection, port security, and DHCP snooping on switches connecting OT assets to mitigate man-in-the-middle positioning.
# Example: restrict access to a Softing edge device with iptables on a jump host
iptables -A FORWARD -s 10.20.30.0/24 -d 10.40.50.10 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.40.50.10 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
