CVE-2024-22187: Automationdirect P3-550e Firmware RCE

CVE-2024-22187 Overview

A write-what-where vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality of AutomationDirect Productivity Series PLCs, including the P3-550E running firmware version 1.2.10.9. This critical vulnerability allows an attacker to send a specially crafted network packet that leads to an arbitrary write operation. Most concerning is that the attack requires no authentication, meaning any attacker with network access to the vulnerable device can exploit this vulnerability.

Critical Impact
Unauthenticated remote attackers can achieve arbitrary memory writes on industrial control systems, potentially allowing complete device compromise, manipulation of PLC logic, or denial of service affecting industrial processes.

Affected Products

AutomationDirect P3-550E Firmware (versions 1.2.10.9 and 4.1.1.10)
AutomationDirect P3-550 Firmware (versions 1.2.10.9 and 4.1.1.10)
AutomationDirect P3-530 Firmware (versions 1.2.10.9 and 4.1.1.10)
AutomationDirect P2-550 Firmware (versions 1.2.10.10 and 4.1.1.10)
AutomationDirect P1-550 Firmware (versions 1.2.10.10 and 4.1.1.10)
AutomationDirect P1-540 Firmware (versions 1.2.10.10 and 4.1.1.10)

Discovery Timeline

May 28, 2024 - CVE-2024-22187 published to NVD
February 12, 2025 - Last updated in NVD database

Technical Details for CVE-2024-22187

Vulnerability Analysis

This write-what-where vulnerability (CWE-284: Improper Access Control) affects the Remote Memory Diagnostics feature within the Programming Software Connection interface of AutomationDirect Productivity Series PLCs. The vulnerability allows an attacker to write arbitrary data to arbitrary memory locations within the PLC, which is particularly dangerous in industrial control system environments.

The attack can be executed remotely over the network without requiring any authentication credentials. This means that any system exposed to untrusted networks—or even segments of an internal network—could be targeted. The vulnerability affects the integrity and availability of the system, potentially allowing attackers to corrupt critical PLC memory, modify control logic, or cause the device to crash.

For detailed technical analysis, refer to the Talos Intelligence Vulnerability Report.

Root Cause

The root cause of this vulnerability is improper access control in the Remote Memory Diagnostics functionality. The Programming Software Connection interface fails to properly authenticate requests before allowing memory write operations. This allows unauthenticated network packets to trigger memory writes, bypassing expected security controls that should restrict such dangerous operations to authorized programming software and authenticated sessions.

Attack Vector

The vulnerability is exploited via network-based attack vectors. An attacker crafts a malicious network packet targeting the Programming Software Connection interface of the PLC. The packet contains specially formatted data that instructs the Remote Memory Diagnostics functionality to write attacker-controlled data to an attacker-specified memory address.

The attack flow involves:

The attacker identifies a vulnerable AutomationDirect Productivity Series PLC on the network
A specially crafted packet is sent to the Programming Software Connection interface
The Remote Memory Diagnostics functionality processes the packet without authentication
Arbitrary data is written to the specified memory location, potentially corrupting PLC operation or enabling further exploitation

Detection Methods for CVE-2024-22187

Indicators of Compromise

Unusual network traffic to the PLC's Programming Software Connection port from unauthorized IP addresses
Unexpected memory access patterns or diagnostic operations logged by the PLC
PLC firmware corruption, unexpected behavior changes, or unexplained crashes
Unauthorized modifications to PLC logic or configuration

Detection Strategies

Implement network monitoring to detect and alert on connections to PLC programming interfaces from non-authorized engineering workstations
Deploy industrial protocol-aware intrusion detection systems (IDS) capable of inspecting traffic to AutomationDirect devices
Monitor for anomalous packet patterns targeting the Remote Memory Diagnostics functionality
Establish baseline network behavior for PLC communications and alert on deviations

Monitoring Recommendations

Enable logging on network firewalls and switches for all traffic to/from Productivity Series PLCs
Implement continuous network traffic analysis for industrial control system segments
Monitor PLC health metrics and status registers for unexpected changes indicating tampering
Review and audit programming software connection logs regularly for unauthorized access attempts

How to Mitigate CVE-2024-22187

Immediate Actions Required

Isolate vulnerable AutomationDirect Productivity Series PLCs from untrusted networks immediately
Implement network segmentation to restrict access to PLC programming interfaces to authorized engineering workstations only
Apply firmware updates from AutomationDirect as documented in their security advisory
Disable Remote Memory Diagnostics functionality if not operationally required

Patch Information

AutomationDirect has released a security advisory addressing this vulnerability. Organizations should consult the AutomationDirect Security Advisory (SA00036) for official patch information and updated firmware versions. Coordinate firmware updates with operational requirements to minimize production impact while ensuring timely remediation.

Workarounds

Implement strict firewall rules to block unauthorized access to PLC programming ports from all networks except dedicated engineering VLANs
Deploy industrial demilitarized zones (DMZ) between corporate networks and control system networks
Use application-layer firewalls or deep packet inspection to filter malicious packets targeting the Programming Software Connection interface
Consider deploying jump servers for all programming access to PLCs, requiring multi-factor authentication before network connectivity is permitted

bash

# Example firewall rule to restrict PLC access (adjust ports and IPs as needed)
# Allow programming access only from authorized engineering workstation
iptables -A INPUT -p tcp -s 10.10.10.50 -d 192.168.100.10 --dport 2222 -j ACCEPT
# Block all other access to the PLC programming interface
iptables -A INPUT -p tcp -d 192.168.100.10 --dport 2222 -j DROP

CVE-2024-22187 Overview

Critical Impact
Unauthenticated remote attackers can achieve arbitrary memory writes on industrial control systems, potentially allowing complete device compromise, manipulation of PLC logic, or denial of service affecting industrial processes.

Affected Products

AutomationDirect P3-550E Firmware (versions 1.2.10.9 and 4.1.1.10)
AutomationDirect P3-550 Firmware (versions 1.2.10.9 and 4.1.1.10)
AutomationDirect P3-530 Firmware (versions 1.2.10.9 and 4.1.1.10)
AutomationDirect P2-550 Firmware (versions 1.2.10.10 and 4.1.1.10)
AutomationDirect P1-550 Firmware (versions 1.2.10.10 and 4.1.1.10)
AutomationDirect P1-540 Firmware (versions 1.2.10.10 and 4.1.1.10)

Discovery Timeline

May 28, 2024 - CVE-2024-22187 published to NVD
February 12, 2025 - Last updated in NVD database

Technical Details for CVE-2024-22187

Vulnerability Analysis

For detailed technical analysis, refer to the Talos Intelligence Vulnerability Report.

Root Cause

Attack Vector

The attack flow involves:

The attacker identifies a vulnerable AutomationDirect Productivity Series PLC on the network
A specially crafted packet is sent to the Programming Software Connection interface
The Remote Memory Diagnostics functionality processes the packet without authentication
Arbitrary data is written to the specified memory location, potentially corrupting PLC operation or enabling further exploitation

Detection Methods for CVE-2024-22187

Indicators of Compromise

Unusual network traffic to the PLC's Programming Software Connection port from unauthorized IP addresses
Unexpected memory access patterns or diagnostic operations logged by the PLC
PLC firmware corruption, unexpected behavior changes, or unexplained crashes
Unauthorized modifications to PLC logic or configuration

Detection Strategies

Implement network monitoring to detect and alert on connections to PLC programming interfaces from non-authorized engineering workstations
Deploy industrial protocol-aware intrusion detection systems (IDS) capable of inspecting traffic to AutomationDirect devices
Monitor for anomalous packet patterns targeting the Remote Memory Diagnostics functionality
Establish baseline network behavior for PLC communications and alert on deviations

Monitoring Recommendations

Enable logging on network firewalls and switches for all traffic to/from Productivity Series PLCs
Implement continuous network traffic analysis for industrial control system segments
Monitor PLC health metrics and status registers for unexpected changes indicating tampering
Review and audit programming software connection logs regularly for unauthorized access attempts

How to Mitigate CVE-2024-22187

Immediate Actions Required

Isolate vulnerable AutomationDirect Productivity Series PLCs from untrusted networks immediately
Implement network segmentation to restrict access to PLC programming interfaces to authorized engineering workstations only
Apply firmware updates from AutomationDirect as documented in their security advisory
Disable Remote Memory Diagnostics functionality if not operationally required

Patch Information

Workarounds

Implement strict firewall rules to block unauthorized access to PLC programming ports from all networks except dedicated engineering VLANs
Deploy industrial demilitarized zones (DMZ) between corporate networks and control system networks
Use application-layer firewalls or deep packet inspection to filter malicious packets targeting the Programming Software Connection interface
Consider deploying jump servers for all programming access to PLCs, requiring multi-factor authentication before network connectivity is permitted

bash

# Example firewall rule to restrict PLC access (adjust ports and IPs as needed)
# Allow programming access only from authorized engineering workstation
iptables -A INPUT -p tcp -s 10.10.10.50 -d 192.168.100.10 --dport 2222 -j ACCEPT
# Block all other access to the PLC programming interface
iptables -A INPUT -p tcp -d 192.168.100.10 --dport 2222 -j DROP

CVE-2024-22187: Automationdirect P3-550e Firmware RCE

CVE-2024-22187 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-22187

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-22187

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-22187

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-22187: Automationdirect P3-550e Firmware RCE

CVE-2024-22187 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-22187

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-22187

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-22187

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform