CVE-2024-2442 Overview
CVE-2024-2442 is a path traversal vulnerability affecting Franklin Fueling Systems EVO 550 and EVO 5000 automatic tank gauge controllers. The flaw allows a remote, unauthenticated attacker to traverse directories and access sensitive files stored on the device. Franklin Fueling Systems EVO controllers are deployed at fuel stations to monitor tank inventory, leak detection, and dispensing operations. The issue is classified under [CWE-25] (Path Traversal: /../filedir) and was published to the NVD on March 19, 2024. CISA issued ICS Advisory ICSA-24-079-01 covering this and related vulnerabilities in the affected products.
Critical Impact
An unauthenticated network attacker can read arbitrary files on EVO 550 and EVO 5000 devices, exposing configuration data, credentials, and operational information from critical fuel infrastructure.
Affected Products
- Franklin Fueling Systems EVO 550
- Franklin Fueling Systems EVO 5000
- Industrial Control Systems used in fueling and energy sector environments
Discovery Timeline
- 2024-03-19 - CVE-2024-2442 published to NVD and CISA ICS Advisory ICSA-24-079-01 released
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-2442
Vulnerability Analysis
The vulnerability is a path traversal flaw in the web-facing interface of the EVO 550 and EVO 5000 automatic tank gauge systems. An attacker submits crafted requests containing relative path sequences such as ../ to escape the intended document root. The controller resolves these sequences without proper canonicalization, returning the contents of files located outside the served directory. Exploitation requires no authentication, no user interaction, and originates from the network. The impact is limited to confidentiality, with no integrity or availability degradation reported. Because EVO devices store configuration files, log data, and credential material in predictable locations, attackers can chain disclosed information into follow-on attacks against the broader operational technology (OT) environment.
Root Cause
The underlying defect is improper limitation of a pathname to a restricted directory, tracked as [CWE-25]. The application accepts user-supplied file path input and passes it to file retrieval logic without normalizing or validating the resolved path against an allow-listed base directory. Sequences such as ../ and absolute path references are not stripped before the file is opened and returned.
Attack Vector
The attack vector is network-based and requires no privileges. An attacker reachable to the device's HTTP interface sends a request containing directory traversal sequences in a file or resource parameter. The server returns the contents of the targeted file. EVO devices exposed directly to the internet, or reachable through flat OT networks, are at highest risk. See the CISA ICS Advisory ICSA-24-079-01 for technical details on the exposed endpoints and request patterns.
Detection Methods for CVE-2024-2442
Indicators of Compromise
- HTTP requests to EVO 550 or EVO 5000 management interfaces containing ../, ..%2f, or encoded traversal sequences in URL parameters or path components
- Outbound responses from EVO devices returning unexpected file content such as /etc/passwd, configuration files, or log archives
- Repeated 200 OK responses to traversal-style URIs in web server logs on affected controllers
Detection Strategies
- Inspect network traffic to OT/ICS network segments for HTTP requests matching path traversal patterns directed at Franklin Fueling Systems EVO endpoints
- Deploy IDS/IPS signatures that flag directory traversal payloads against fueling controller IP ranges
- Correlate access attempts against the EVO web interface with source IPs that are not part of authorized maintenance or management networks
Monitoring Recommendations
- Enable and centralize logging from EVO 550 and EVO 5000 controllers where supported, and forward logs to a SIEM for review
- Monitor for unexpected internet-facing exposure of EVO devices using external attack surface management or services such as Shodan
- Establish a baseline of normal management traffic to fueling controllers and alert on deviations, particularly requests containing path metacharacters
How to Mitigate CVE-2024-2442
Immediate Actions Required
- Remove EVO 550 and EVO 5000 controllers from direct internet exposure and place them behind a firewall on a segmented OT network
- Restrict access to the device management interface to a defined set of authorized engineering workstations
- Review web and network logs for evidence of prior exploitation attempts against affected controllers
- Contact Franklin Fueling Systems support to confirm the current firmware version and obtain remediation guidance referenced in CISA ICS Advisory ICSA-24-079-01
Patch Information
Refer to the CISA ICS Advisory ICSA-24-079-01 for vendor-supplied mitigation and firmware update guidance. Operators should coordinate directly with Franklin Fueling Systems to validate the supported fixed firmware versions for their specific EVO 550 or EVO 5000 deployment.
Workarounds
- Place EVO controllers behind a VPN and require multi-factor authentication for any remote management session
- Apply network ACLs that block inbound HTTP/HTTPS access to fueling controllers from untrusted source ranges
- Use a reverse proxy or web application firewall to filter requests containing path traversal sequences before they reach the device
- Follow CISA guidance on defense-in-depth strategies for industrial control systems, including network segmentation and minimization of remote access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
