Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-38502

CVE-2024-38502: Pepperl-fuchs ICDM-RX/TCP XSS Vulnerability

CVE-2024-38502 is a stored XSS vulnerability in Pepperl-fuchs ICDM-RX/TCP SocketServer Firmware allowing unauthenticated attackers to steal information or reboot devices. This article covers technical details, impact, and mitigation.

Published:

CVE-2024-38502 Overview

CVE-2024-38502 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting multiple Pepperl-Fuchs ICDM-RX industrial device server product families. An unauthenticated remote attacker can inject persistent script payloads into the device's web management interface. When an administrator views the affected page, the injected script executes in the administrator's browser context. This allows the attacker to harvest session information or trigger a single device reboot, disrupting industrial communications. The flaw impacts ICDM-RX firmware lines for Socketserver, PROFINET, PROFINET/Modbus, Modbus Router, Modbus Server, Modbus TCP, EtherNet/IP, and EIP/Modbus variants used in operational technology (OT) environments.

Critical Impact

An unauthenticated remote attacker can store malicious script that executes against any authenticated administrator, enabling information theft and a one-time reboot of the affected industrial gateway.

Affected Products

  • Pepperl-Fuchs ICDM-RX/TCP Socketserver firmware and associated hardware variants (tcp-16db9/rj45-rm, tcp-16rj45/2rj45-pm, tcp-32rj45/rj45-rm, others)
  • Pepperl-Fuchs ICDM-RX/PN and PN1 PROFINET firmware and hardware variants (pn-db9/rj45-din, pn1-4db9/2rj45-din, others)
  • Pepperl-Fuchs ICDM-RX/MOD Modbus Router/Server/TCP firmware and ICDM-RX/EN and EN1 EtherNet/IP and EIP/Modbus firmware lines

Discovery Timeline

  • 2024-08-13 - CVE-2024-38502 published to NVD
  • 2024-08-22 - Last updated in NVD database

Technical Details for CVE-2024-38502

Vulnerability Analysis

The ICDM-RX series provides serial-to-Ethernet gateway functionality for industrial protocols including PROFINET, Modbus, and EtherNet/IP. Device administration occurs through an embedded web interface. The web application accepts attacker-controlled input without sufficient output encoding and persists that input in device state. When an authenticated administrator later renders the affected page, the browser interprets the stored payload as executable script.

The attack does not require credentials to plant the payload, since the input vector is reachable without authentication. User interaction from the administrator is required to trigger execution, which aligns with the UI:R component in the published CVSS vector. The scope change (S:C) reflects that script executing in the administrator's browser context can reach resources beyond the originally vulnerable component, including the authenticated session and device control endpoints.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. User-supplied content reaches the rendered HTML response without context-aware escaping. Because the unsanitized data is stored on the device rather than reflected in a single request, every administrator visiting the affected page is exposed until the data is cleared.

Attack Vector

An attacker reachable on the network sends a crafted request to the web interface of the ICDM-RX device, embedding JavaScript in a field that the firmware later renders to administrators. When an administrator logs in and navigates to that page, the payload executes. The script can read DOM data, exfiltrate session cookies or CSRF tokens to an attacker-controlled host, or issue a request that triggers a device reboot. According to the advisory, the reboot action is limited to a single occurrence per exploitation. Refer to the VDE Security Advisory VDE-2024-033 for vendor-confirmed technical details.

Detection Methods for CVE-2024-38502

Indicators of Compromise

  • Unexpected HTML tags, <script> blocks, or JavaScript event handlers stored in ICDM-RX configuration fields visible through the web UI.
  • Outbound HTTP/HTTPS requests originating from administrator workstations to unfamiliar domains immediately after accessing the ICDM-RX management interface.
  • Unscheduled device reboot events recorded in ICDM-RX or upstream PLC/SCADA logs.

Detection Strategies

  • Inspect HTTP request bodies and query parameters destined for ICDM-RX management interfaces for script tags, JavaScript URIs, and HTML event attributes such as onerror= or onload=.
  • Baseline the configuration fields exposed by the ICDM-RX web UI and alert on any change containing markup characters (<, >, ").
  • Correlate administrator browser activity with ICDM-RX configuration changes to surface stored payloads delivered before the admin visit.

Monitoring Recommendations

  • Forward ICDM-RX device logs and network flow data from OT segments into a centralized analytics platform for cross-source correlation.
  • Monitor for unauthenticated POST or configuration requests against ICDM-RX management endpoints from non-engineering subnets.
  • Track device availability and reboot counters to identify the single-reboot symptom described in the advisory.

How to Mitigate CVE-2024-38502

Immediate Actions Required

  • Apply the firmware update referenced in VDE-2024-033 to every affected ICDM-RX firmware family in your environment.
  • Restrict network access to the ICDM-RX web management interface to a dedicated engineering management VLAN with explicit allow-list rules.
  • Audit current device configuration fields for stored script content and clear any unexpected entries before administrators log back in.

Patch Information

Pepperl-Fuchs has coordinated remediation through CERT@VDE. Consult VDE Security Advisory VDE-2024-033 for the fixed firmware versions corresponding to each ICDM-RX product line (Socketserver, PROFINET, PROFINET/Modbus, Modbus Router, Modbus Server, Modbus TCP, EtherNet/IP, EIP/Modbus) and apply the matching release for your hardware variant.

Workarounds

  • Place ICDM-RX devices behind an OT firewall and block inbound HTTP/HTTPS to the management interface from any untrusted network.
  • Require administrators to access the device web UI from a dedicated jump host that does not browse external sites in the same session.
  • Disable or limit web management access where the device can be configured exclusively through serial or trusted out-of-band channels.
bash
# Example firewall rule restricting ICDM-RX web UI to a management subnet
# Replace ICDM_RX_IP and MGMT_SUBNET with environment-specific values
iptables -A FORWARD -p tcp -d ICDM_RX_IP --dport 80  -s MGMT_SUBNET -j ACCEPT
iptables -A FORWARD -p tcp -d ICDM_RX_IP --dport 443 -s MGMT_SUBNET -j ACCEPT
iptables -A FORWARD -p tcp -d ICDM_RX_IP --dport 80  -j DROP
iptables -A FORWARD -p tcp -d ICDM_RX_IP --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne