CVE-2024-24851 Overview
CVE-2024-24851 is a heap-based buffer overflow vulnerability in the Programming Software Connection FiBurn functionality of the AutomationDirect P3-550E programmable logic controller (PLC) running firmware version 1.2.10.9. A specially crafted network packet sent to an affected device can trigger memory corruption on the heap. The flaw requires no authentication and can be exploited remotely across the network. The vulnerability affects multiple AutomationDirect Productivity series PLCs, including the P1-540, P1-550, P2-550, P3-530, P3-550, and P3-550E. Talos Intelligence tracks the issue as TALOS-2024-1936.
Critical Impact
An unauthenticated attacker with network access to an affected PLC can send a malicious packet to corrupt heap memory, resulting in denial of service on industrial control systems.
Affected Products
- AutomationDirect P3-550E firmware versions 1.2.10.9 and 4.1.1.10
- AutomationDirect P3-550 and P3-530 firmware versions 1.2.10.9 and 4.1.1.10
- AutomationDirect P1-540, P1-550, and P2-550 firmware versions 1.2.10.10 and 4.1.1.10
Discovery Timeline
- 2024-05-28 - CVE-2024-24851 published to NVD
- 2025-02-12 - Last updated in NVD database
Technical Details for CVE-2024-24851
Vulnerability Analysis
The vulnerability resides in the Programming Software Connection FiBurn functionality used by AutomationDirect Productivity series PLCs to communicate with engineering workstations. The handler processes attacker-controlled fields from inbound network packets without sufficient bounds validation before copying data into a heap-allocated buffer. The condition is classified under [CWE-805] Buffer Access with Incorrect Length Value and [CWE-787] Out-of-bounds Write. Successful exploitation corrupts heap metadata or adjacent allocations, leading to process termination and loss of PLC availability. The attack impacts availability only, with no confidentiality or integrity loss reflected in the CVSS impact metrics.
Root Cause
The root cause is missing or incorrect length validation in the FiBurn packet parser. The handler trusts a size value taken from the network message and uses it to copy data into a fixed-size heap buffer. When the supplied length exceeds the destination capacity, the copy operation writes past the end of the allocation. Industrial protocol handlers in PLC firmware frequently lack the defensive checks common in mainstream operating systems, increasing exposure when these devices are reachable from operator networks.
Attack Vector
Exploitation requires only network access to the PLC and the ability to send a single crafted packet to the programming software connection service. No credentials, user interaction, or prior foothold are needed. The affected service typically listens on the PLC's engineering network interface, so attackers who pivot into operational technology (OT) segments can reach the vulnerable endpoint directly. A successful packet causes the firmware to corrupt heap memory and halt PLC operations.
No public proof-of-concept code is available. See the Talos Intelligence Vulnerability Report for protocol-level technical details.
Detection Methods for CVE-2024-24851
Indicators of Compromise
- Unexpected reboots, watchdog resets, or fault states on AutomationDirect Productivity series PLCs
- Inbound network traffic to PLC programming service ports from hosts outside the engineering workstation allow list
- Malformed or oversized FiBurn protocol messages observed in OT network captures
Detection Strategies
- Deploy industrial protocol-aware intrusion detection (such as Snort or Zeek with ICS protocol parsers) to flag malformed Productivity Suite programming traffic
- Baseline normal engineering workstation-to-PLC communications and alert on new source addresses initiating FiBurn sessions
- Correlate PLC availability loss events with preceding network activity from the IT/OT boundary
Monitoring Recommendations
- Forward OT network sensor logs and PLC diagnostic events into a centralized SIEM for correlation with enterprise telemetry
- Monitor span/tap traffic between Level 2 and Level 3 of the Purdue model for unexpected programming protocol flows
- Track PLC firmware versions in an asset inventory to identify unpatched devices exposed to the vulnerability
How to Mitigate CVE-2024-24851
Immediate Actions Required
- Apply the firmware updates referenced in the AutomationDirect Security Advisory SA00025
- Restrict network access to PLC programming ports using firewall rules permitting only authorized engineering workstations
- Place affected PLCs behind an OT-segmented network that is not directly reachable from corporate or internet-facing networks
Patch Information
AutomationDirect has issued guidance under advisory SA00025. Operators running firmware 1.2.10.9, 1.2.10.10, or 4.1.1.10 on Productivity series PLCs should consult the vendor advisory for current remediation guidance and updated firmware images appropriate to each model.
Workarounds
- Disable the Programming Software Connection service on PLCs that do not require remote programming
- Enforce strict allow-listing of source IP addresses permitted to reach the PLC programming interface
- Deploy an OT firewall or data diode between business networks and control system networks to block unauthorized inbound traffic
- Require VPN or jump-host access for engineers performing PLC programming tasks
# Example firewall rule restricting PLC programming access to a single workstation
# Replace PLC_IP and ENGINEER_WS_IP with environment-specific values
iptables -A FORWARD -p tcp -d PLC_IP --dport 9999 -s ENGINEER_WS_IP -j ACCEPT
iptables -A FORWARD -p tcp -d PLC_IP --dport 9999 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
