CVE-2024-21764 Overview
CVE-2024-21764 is a hardcoded credentials vulnerability in Rapid Software LLC's Rapid SCADA platform affecting all versions prior to 5.8.4. The product ships with embedded credentials that allow remote attackers to connect to a specific network port without legitimate authentication. Because Rapid SCADA controls industrial processes, exploitation can grant adversaries direct access to operational technology (OT) environments. The Cybersecurity and Infrastructure Security Agency (CISA) tracks this issue under advisory ICSA-24-011-03. The flaw is categorized under [CWE-798: Use of Hard-coded Credentials].
Critical Impact
Unauthenticated remote attackers can connect to a specific port using hardcoded credentials, compromising confidentiality, integrity, and availability of industrial control systems running Rapid SCADA.
Affected Products
- Rapid Software LLC Rapid SCADA versions prior to 5.8.4
- Deployments exposing the affected Rapid SCADA service port to untrusted networks
- Industrial control system environments using rapidscada:rapid_scada
Discovery Timeline
- 2024-02-02 - CVE-2024-21764 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21764
Vulnerability Analysis
The vulnerability stems from credentials embedded directly into the Rapid SCADA codebase or default configuration. An attacker who knows or recovers these static credentials can authenticate to a specific service port without any prior access or user interaction. Rapid SCADA is supervisory software used to monitor and control industrial processes, so successful authentication exposes process data, configuration, and control logic. The flaw carries a network attack vector with no privileges required, placing it among the most severe authentication weaknesses in operational technology software.
Root Cause
The root cause is the inclusion of static credentials within the product distribution, as classified under [CWE-798]. Hardcoded credentials cannot be revoked or rotated through normal administrative procedures because they are required for the application to function. Any party with access to the binaries, documentation, or reverse-engineered configuration can extract and reuse the same secret across every deployment.
Attack Vector
Exploitation requires network reachability to the specific Rapid SCADA port referenced in the advisory. An attacker connects to the exposed service, supplies the hardcoded credential pair, and obtains an authenticated session. From there the adversary can read telemetry, alter setpoints, modify configuration, or pivot deeper into the industrial network. No user interaction is required, and the attack complexity is low. Refer to the CISA ICSA-24-011-03 Advisory for additional technical context.
Detection Methods for CVE-2024-21764
Indicators of Compromise
- Unexpected authenticated sessions to Rapid SCADA service ports from external or non-engineering workstation IP addresses
- Configuration changes, project file modifications, or new user accounts created outside scheduled maintenance windows
- Anomalous outbound connections from Rapid SCADA server hosts to unknown infrastructure
Detection Strategies
- Inventory all Rapid SCADA installations and identify those running versions earlier than 5.8.4
- Inspect authentication logs for logins occurring outside expected operator hours or from unauthorized subnets
- Compare running binaries and configuration files against known-good baselines to detect tampering
Monitoring Recommendations
- Enable continuous network monitoring between the IT and OT boundary, alerting on connections to Rapid SCADA ports from outside the engineering VLAN
- Forward Rapid SCADA host and authentication logs to a centralized SIEM for correlation with network telemetry
- Apply MITRE ATT&CK for ICS detection coverage for techniques such as T0812 (Default Credentials) and T0859 (Valid Accounts)
How to Mitigate CVE-2024-21764
Immediate Actions Required
- Upgrade Rapid SCADA to version 5.8.4 or later on all affected systems
- Remove direct internet exposure of Rapid SCADA service ports and place the application behind a firewall or jump host
- Audit all existing accounts and rotate any credentials that may have been used during the exposure window
Patch Information
Rapid Software LLC has addressed the issue in Rapid SCADA version 5.8.4. Administrators should download the current release via the Rapid SCADA Contact Page and follow the upgrade procedure on a maintenance window. Validate that the hardcoded credential is no longer accepted after the upgrade by attempting a controlled authentication test from an isolated host.
Workarounds
- Restrict network access to the affected Rapid SCADA port using host-based firewalls and network ACLs that allow only trusted engineering workstations
- Segment the SCADA environment from corporate IT networks using a demilitarized zone (DMZ) and unidirectional gateways where feasible
- Enable multi-factor authentication on all upstream remote access paths (VPN, jump servers) that lead to the Rapid SCADA environment
# Configuration example: restrict access to Rapid SCADA port using iptables
# Replace <RAPID_SCADA_PORT> with the affected port and <TRUSTED_SUBNET> with engineering subnet
iptables -A INPUT -p tcp --dport <RAPID_SCADA_PORT> -s <TRUSTED_SUBNET> -j ACCEPT
iptables -A INPUT -p tcp --dport <RAPID_SCADA_PORT> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
