CVE-2024-33892: Ewon Cosy+ Information Disclosure Flaw

CVE-2024-33892 Overview

CVE-2024-33892 is an insecure permissions vulnerability affecting HMS Networks Ewon Cosy+ industrial remote access gateways. The flaw allows unauthenticated network-based attackers to retrieve sensitive information through cookies on affected devices. The issue impacts firmware versions 21.x prior to 21.2s10 and 22.x prior to 22.1s3. Because Cosy+ devices provide remote access into operational technology (OT) and industrial control system (ICS) environments, exposure of session cookies can undermine the security boundary between corporate IT and plant-floor networks. HMS Networks addressed the flaw in firmware 21.2s10 and 22.1s3.

Critical Impact

Unauthenticated attackers can extract sensitive information through cookies on affected Cosy+ devices, exposing remote access sessions used to reach industrial control systems.

Affected Products

• Ewon Cosy+ Firmware versions 21.x below 21.2s10
• Ewon Cosy+ Firmware versions 22.x below 22.1s3
• Ewon Cosy+ 4G (APAC, EU, JP, NA), Cosy+ Ethernet, and Cosy+ WiFi hardware variants

Discovery Timeline

• 2024-07-29 - HMS Networks publishes security advisory for several Cosy+ vulnerabilities
• 2024-08-02 - CVE-2024-33892 published to NVD
• 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2024-33892

Vulnerability Analysis

The vulnerability stems from insecure permissions in how the Cosy+ web management interface handles session cookies. Affected firmware exposes cookie data in a way that allows information leakage to network-positioned attackers. The defect is categorized under [CWE-312] (Cleartext Storage of Sensitive Information) and [CWE-281] (Improper Preservation of Permissions). Because Cosy+ functions as a secure industrial remote access gateway, leaked cookie material can be leveraged to impersonate authenticated users and pivot toward connected programmable logic controllers (PLCs) and human-machine interfaces (HMIs). Researchers at SySS GmbH documented related findings in a public technical writeup on hacking the Cosy+ gateway.

Root Cause

The root cause is improper handling and protection of session cookies on the device. Cookies that should be restricted to authenticated contexts are accessible in a manner that exposes their contents over the network. The two contributing CWE classes describe both the storage weakness ([CWE-312]) and the permission preservation failure ([CWE-281]) on the underlying resources.

Attack Vector

An attacker reaches the device over the network without prior authentication or user interaction. By interacting with the exposed cookie surface on the Cosy+ web interface, the attacker harvests session material that should remain confidential. The exposed information can support follow-on session hijacking against the management interface or the VPN service used to reach downstream OT assets.

No public proof-of-concept exploit is listed for this CVE. Technical context is available in the SySS Blog Post on Hacking a Secure Industrial Remote Access Gateway and the HMS Security Advisory 2024-07-29.

Detection Methods for CVE-2024-33892

Indicators of Compromise

• Unexpected HTTP/HTTPS requests to the Cosy+ web management interface from untrusted source addresses targeting cookie or session endpoints.
• Repeated authentication events from a Cosy+ session originating from multiple geographic locations or IPs in a short window.
• Unexplained VPN tunnels established through the Cosy+ gateway to downstream PLCs or HMIs.

Detection Strategies

• Inventory all Ewon Cosy+ devices and verify firmware versions against the fixed baselines 21.2s10 and 22.1s3.
• Inspect network captures for direct internet exposure of Cosy+ HTTPS management ports and review TLS session behavior against known clients.
• Correlate Talk2M cloud activity logs with on-premises gateway logs to identify mismatched or unauthorized session use.

Monitoring Recommendations

• Centralize syslog and authentication events from Cosy+ devices into a SIEM for behavioral baselining of administrator access.
• Alert on configuration changes, firmware downgrades, and new VPN account creation events on the gateway.
• Monitor north-south and east-west traffic between IT networks and OT segments traversing the Cosy+ device.

How to Mitigate CVE-2024-33892

Immediate Actions Required

• Upgrade affected Ewon Cosy+ devices to firmware 21.2s10 or 22.1s3 or later without delay.
• Rotate all administrator credentials and invalidate active sessions on the gateway after patching.
• Remove direct internet exposure of the Cosy+ web management interface and restrict access to trusted management networks.

Patch Information

HMS Networks released fixed firmware versions 21.2s10 and 22.1s3 that remediate the insecure permissions on cookie handling. Download instructions and full advisory details are available in the HMS Security Advisory 2024-07-29. Customers should also review the HMS Networks Cyber Security Overview for product hardening guidance.

Workarounds

• Place Cosy+ devices behind a firewall and permit management access only from a defined jump host or VPN.
• Disable unused services on the Cosy+ device and enforce strong, unique credentials for every administrator account.
• Segment OT networks behind the Cosy+ gateway so that compromise of the device does not grant flat access to control systems.

# Configuration example
# Verify current Cosy+ firmware version through the device web UI or eBuddy utility
# and confirm it meets or exceeds the fixed releases:
#   21.x branch: 21.2s10 or later
#   22.x branch: 22.1s3 or later
# Restrict inbound management access at an upstream firewall:
iptables -A FORWARD -p tcp -d <COSY_PLUS_IP> --dport 443 -s <MGMT_SUBNET> -j ACCEPT
iptables -A FORWARD -p tcp -d <COSY_PLUS_IP> --dport 443 -j DROP