CVE-2024-23601: Automationdirect P3-550e Firmware RCE Flaw

CVE-2024-23601 Overview

CVE-2024-23601 is a code injection vulnerability in the scan_lib.bin functionality of AutomationDirect P3-550E firmware version 1.2.10.9. A specially crafted scan_lib.bin file can lead to arbitrary code execution on the affected programmable logic controller (PLC). An attacker who can supply a malicious file to the device can trigger arbitrary code execution in the context of the PLC firmware. The vulnerability also affects multiple related AutomationDirect Productivity series controllers, including the P3-550, P3-530, P2-550, P1-550, and P1-540. The flaw is tracked under CWE-94 (Improper Control of Generation of Code) and CWE-345 (Insufficient Verification of Data Authenticity).

Critical Impact

A network-reachable attacker can deliver a crafted scan_lib.bin to achieve arbitrary code execution on industrial PLCs, putting operational technology (OT) processes and connected equipment at risk.

Affected Products

• AutomationDirect P3-550E firmware 1.2.10.9 and 4.1.1.10
• AutomationDirect P3-550 / P3-530 firmware 1.2.10.9 and 4.1.1.10
• AutomationDirect P2-550 / P1-550 / P1-540 firmware 1.2.10.10 and 4.1.1.10

Discovery Timeline

• 2024-05-28 - CVE-2024-23601 published to NVD
• 2025-02-12 - Last updated in NVD database

Technical Details for CVE-2024-23601

Vulnerability Analysis

The vulnerability resides in how the affected Productivity series PLCs process the scan_lib.bin file. This file contains scan-cycle library logic used by the controller during normal operation. The firmware fails to adequately verify the authenticity and integrity of the file before parsing and executing its contents. By substituting a crafted scan_lib.bin, an attacker injects code that the PLC runtime processes as legitimate logic. Successful exploitation results in arbitrary code execution within the controller, which can disrupt automated processes, manipulate physical outputs, or pivot deeper into operational networks. The attack requires no authentication and no user interaction, and it can be staged over the network.

Root Cause

The root cause combines two weaknesses. Under [CWE-345], the controller does not sufficiently verify the authenticity of scan_lib.bin (for example, through cryptographic signature validation). Under [CWE-94], the controller improperly handles attacker-controlled content during code generation or interpretation, allowing injected instructions to execute. The absence of signed firmware/library checks lets malicious payloads be loaded as trusted logic.

Attack Vector

Exploitation requires delivering a malicious scan_lib.bin to the PLC. This can be accomplished by an attacker with network access to the controller's management or programming interfaces, or by tampering with a file in the engineering workstation toolchain before it is pushed to the device. Once the crafted file is loaded, the embedded code executes on the controller. Refer to the Talos Intelligence Vulnerability Report (TALOS-2024-1943) for the full technical write-up.

Detection Methods for CVE-2024-23601

Indicators of Compromise

• Unexpected or unauthorized modifications to scan_lib.bin on Productivity series PLCs.
• Unscheduled firmware or library upload sessions to the PLC's programming port.
• Anomalous outbound traffic from PLCs or engineering workstations following a file transfer.
• Hash mismatches between deployed scan_lib.bin files and vendor-provided baselines.

Detection Strategies

• Compare on-device scan_lib.bin hashes against a known-good golden image stored offline.
• Monitor PLC programming protocol traffic for unauthorized write or upload operations.
• Alert on engineering workstation processes that push controller files outside scheduled change windows.
• Inspect controller logs for unexpected restarts, scan-cycle interruptions, or logic load events.

Monitoring Recommendations

• Deploy passive OT network monitoring to baseline normal PLC programming activity.
• Centralize logs from engineering workstations and historians for correlation with PLC events.
• Track changes to controller configuration files through versioned configuration management.
• Review remote access sessions to OT segments for unauthorized PLC interactions.

How to Mitigate CVE-2024-23601

Immediate Actions Required

• Apply the firmware update referenced in the AutomationDirect Security Advisory SA00039.
• Restrict network access to PLC programming interfaces to authorized engineering workstations only.
• Validate the integrity of scan_lib.bin on all affected controllers against vendor-supplied hashes.
• Audit recent file transfers and programming sessions for unauthorized activity.

Patch Information

AutomationDirect has published guidance and updated firmware in Security Advisory SA00039. Operators of P3-550E, P3-550, P3-530, P2-550, P1-550, and P1-540 controllers should upgrade to the fixed firmware version provided by the vendor and review configuration guidance for hardening the device.

Workarounds

• Isolate Productivity series PLCs on dedicated OT VLANs with strict ACLs blocking untrusted sources.
• Place affected controllers behind an industrial firewall or data diode where feasible.
• Disable remote programming features when not actively in use.
• Enforce multi-factor authentication and jump-host access for engineering workstations that manage PLCs.

# Configuration example: restrict access to PLC programming port at the firewall
# Replace <PLC_IP> and <ENG_WORKSTATION_IP> with your environment values
iptables -A FORWARD -p tcp -s <ENG_WORKSTATION_IP> -d <PLC_IP> --dport 25425 -j ACCEPT
iptables -A FORWARD -p tcp -d <PLC_IP> --dport 25425 -j DROP