CVE-2024-45862 Overview
CVE-2024-45862 affects Kastle Systems Access Control System firmware released before May 1, 2024. The firmware stored machine credentials in cleartext, exposing sensitive authentication material to attackers with network access to affected devices. Cleartext credential storage maps to [CWE-312], a long-standing weakness class in embedded and IoT systems.
The vulnerability is network-exploitable, requires no privileges, and requires no user interaction. Successful exploitation discloses credentials that an attacker can reuse to access additional resources protected by the same access control infrastructure.
Critical Impact
Cleartext storage of machine credentials in Kastle Access Control System firmware allows unauthenticated network attackers to retrieve sensitive credentials and pivot into physical access control systems.
Affected Products
- Kastle Access Control System Firmware versions prior to May 1, 2024
- Kastle Access Control System hardware running affected firmware
- Deployments managed through the affected Kastle access control infrastructure
Discovery Timeline
- 2024-09-19 - CVE-2024-45862 published to the National Vulnerability Database
- 2024-09-30 - Last updated in NVD database
Technical Details for CVE-2024-45862
Vulnerability Analysis
The weakness stems from how the Kastle Access Control System firmware persists machine credentials. The firmware writes credentials to storage without encryption, hashing, or any equivalent protection. Any actor able to reach the device over the network and access the credential store can read those values directly.
The vulnerability falls under [CWE-312] Cleartext Storage of Sensitive Information. Machine credentials typically authenticate the device to backend services, controllers, or management consoles. Reusing those credentials lets an attacker impersonate the device, query the management plane, or move laterally inside the access control environment.
Because the impact is limited to confidentiality of credential material, integrity and availability of the device are not directly affected by this issue. However, recovered credentials can support follow-on attacks against linked systems, including physical door controllers and badge readers.
Root Cause
The root cause is a design decision to store sensitive authentication material in plaintext within the firmware image or persistent storage. The firmware lacks the secure storage primitives expected for embedded credentials, such as hardware-backed key storage, encrypted partitions, or one-way hashing of secrets that do not require reversibility.
Attack Vector
The attack vector is network-based. An unauthenticated attacker with reachability to the affected device queries or extracts the stored credential material. No user interaction is required and no prior authentication is needed. CISA documents this issue in ICS Advisory ICSA-24-263-05.
No public proof-of-concept or exploit code is available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The current EPSS probability is approximately 0.102%.
Detection Methods for CVE-2024-45862
Indicators of Compromise
- Unexpected outbound connections from Kastle access control devices to unfamiliar IP addresses or non-Kastle infrastructure
- Authentication events using device or service account credentials from hosts that are not the original Kastle controller
- Unusual administrative queries against Kastle management endpoints from internal hosts that do not normally communicate with the access control network
Detection Strategies
- Inventory all Kastle Access Control System devices and verify firmware build dates against the May 1, 2024 cutoff
- Inspect network captures between Kastle devices and management infrastructure for cleartext credential material in transit or at rest on backup images
- Correlate physical access control authentication logs with identity provider logs to spot reuse of machine credentials from unexpected sources
Monitoring Recommendations
- Place Kastle devices on a dedicated, monitored VLAN and alert on any traffic crossing the segment boundary
- Forward Kastle controller and management server logs to a centralized logging or SIEM platform for retention and correlation
- Monitor for new or unusual service account logons that match Kastle machine identities outside the access control subnet
How to Mitigate CVE-2024-45862
Immediate Actions Required
- Upgrade affected Kastle Access Control System devices to firmware released on or after May 1, 2024, per vendor guidance referenced in ICSA-24-263-05
- Rotate any machine credentials, service account passwords, and API keys that were stored on affected firmware prior to the upgrade
- Restrict network access to Kastle devices so that only authorized management hosts can reach administrative interfaces
Patch Information
Kastle Systems addressed the vulnerability in firmware released on or after May 1, 2024. Operators should coordinate with Kastle Systems support to confirm the deployed firmware version on each controller and to schedule remediation across the fleet. Refer to CISA ICS Advisory ICSA-24-263-05 for vendor-aligned remediation guidance.
Workarounds
- Segment Kastle access control devices onto an isolated management network with strict firewall rules blocking inbound traffic from general user subnets
- Require VPN or jump host access for any administrative communication with Kastle controllers until firmware is upgraded
- Disable or restrict unused network services on the controllers to reduce exposure of the credential store to network-based extraction
# Example network segmentation rules for Kastle controllers
# Replace interface and subnet placeholders with site-specific values
iptables -A FORWARD -s 10.20.30.0/24 -d <kastle_mgmt_subnet> -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d <kastle_mgmt_subnet> -j DROP
iptables -A FORWARD -s <kastle_mgmt_subnet> -d <corp_user_subnet> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
