Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-5849

CVE-2024-5849: Pepperl-fuchs ICDM-RX/TCP XSS Vulnerability

CVE-2024-5849 is a reflected XSS flaw in Pepperl-fuchs ICDM-RX/TCP SocketServer Firmware that allows unauthenticated attackers to steal user data or reboot the device. This post covers technical details, impact, and mitigation.

Published:

CVE-2024-5849 Overview

CVE-2024-5849 is a reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting multiple Pepperl+Fuchs ICDM-RX industrial gateway product families. An unauthenticated remote attacker can craft a malicious URL that, when visited by an authenticated user, executes attacker-controlled script in the browser context of the device's web interface. Successful exploitation lets an attacker exfiltrate session information or trigger a single device reboot, disrupting industrial serial-to-Ethernet communications. The vulnerability spans the SocketServer, PROFINET, PROFINET/Modbus, Modbus Router, Modbus Server, Modbus TCP, EtherNet/IP, and EIP/Modbus firmware variants across the ICDM-RX hardware line.

Critical Impact

A single crafted link can hijack an operator session or force a one-time reboot of an ICDM-RX gateway, briefly interrupting OT serial communications between PLCs and field devices.

Affected Products

  • Pepperl+Fuchs ICDM-RX/TCP SocketServer firmware and associated hardware variants (TCP-16DB9, TCP-16RJ45, TCP-2DB9, TCP-2ST, TCP-32RJ45, TCP-4DB9, TCP-8DB9, TCP-DB9, TCP-ST)
  • Pepperl+Fuchs ICDM-RX/PN PROFINET firmware and ICDM-RX/PN1 PROFINET/Modbus firmware with associated hardware variants
  • Pepperl+Fuchs ICDM-RX/MOD Modbus Router, Modbus Server, and Modbus TCP firmware, plus ICDM-RX/EN EtherNet/IP and ICDM-RX/EN1 EIP/Modbus firmware variants

Discovery Timeline

  • 2024-08-13 - CVE-2024-5849 published to the National Vulnerability Database (NVD)
  • 2024-08-22 - Last updated in NVD database

Technical Details for CVE-2024-5849

Vulnerability Analysis

The flaw is a reflected XSS weakness in the embedded web management interface of the ICDM-RX gateway family. The web server returns attacker-supplied request data inside HTTP responses without sufficient output encoding or input sanitization. When an authenticated administrator or operator clicks a crafted link, the browser parses the reflected payload as part of the page and executes it within the trusted origin of the device.

Because the device's web UI manages the gateway configuration and includes a reboot control, an attacker can use the executed script to read page content, exfiltrate the session, or issue an authenticated reboot request on behalf of the victim. The advisory notes the reboot impact is limited to a single occurrence per successful exploitation.

Root Cause

The root cause is missing or incorrect neutralization of user input during web page generation, classified as [CWE-79]. Query parameters reflected back into rendered HTML are not encoded into safe HTML entities, allowing <script> payloads and event-handler attributes to break out of their intended context.

Attack Vector

Exploitation is network-based and requires user interaction. The attacker delivers a crafted URL pointing at the gateway's web interface, typically through phishing, an instant message, or an embedded link on an internal portal. When a user with an active session opens the link, the payload executes against the device origin and can perform any action the user's session permits.

No authenticated code execution code is published for this issue. Refer to the VDE Security Advisory VDE-2024-033 for vendor technical details.

Detection Methods for CVE-2024-5849

Indicators of Compromise

  • HTTP requests to the ICDM-RX web interface containing script tags, JavaScript URIs, or HTML event handlers such as onerror=, onload=, or <script> inside query strings
  • Unexpected reboot events logged by the gateway shortly after a user accessed an externally supplied URL
  • Outbound HTTP requests from operator workstations to attacker-controlled domains immediately after browsing to the gateway

Detection Strategies

  • Inspect web server access logs on ICDM-RX devices and any reverse proxy fronting them for URL-decoded payloads containing HTML or JavaScript syntax
  • Deploy network IDS signatures that flag XSS payload patterns in HTTP requests destined for OT management interfaces
  • Correlate browser-side telemetry on engineering workstations with subsequent configuration changes or reboot events on industrial gateways

Monitoring Recommendations

  • Continuously monitor administrative HTTP traffic to ICDM-RX gateways and alert on requests originating from non-engineering workstations or external referrers
  • Track device availability and unscheduled reboot counters in the OT monitoring platform to surface single-reboot anomalies consistent with this vulnerability
  • Audit email and chat gateways for links that target internal ICDM-RX management IP addresses or hostnames

How to Mitigate CVE-2024-5849

Immediate Actions Required

  • Identify all ICDM-RX devices in the environment across SocketServer, PROFINET, Modbus, and EtherNet/IP firmware families and inventory their firmware versions
  • Apply the firmware update referenced in VDE Security Advisory VDE-2024-033 as soon as the vendor releases a fixed version for the affected product line
  • Restrict access to the gateway web interface to a dedicated engineering VLAN and trusted jump hosts only
  • Train operators and engineers to avoid clicking links that point to internal OT management URLs

Patch Information

Pepperl+Fuchs has coordinated disclosure of this issue through VDE CERT. Consult VDE Security Advisory VDE-2024-033 for the authoritative list of fixed firmware versions per ICDM-RX model and download links. Apply updates following the vendor's recommended maintenance procedure to avoid disrupting connected PLCs and field devices.

Workarounds

  • Place ICDM-RX gateways behind a firewall that blocks HTTP access from corporate networks, allowing management traffic only from a hardened engineering workstation
  • Disable or restrict the embedded web interface where the device supports it, and manage the gateway through out-of-band channels
  • Require operators to log out of the gateway web UI after each session and use a dedicated browser profile that does not browse external content
  • Apply Content Security Policy (CSP) and URL filtering at the network proxy to block known XSS payload patterns destined for OT management interfaces
bash
# Example firewall rule restricting ICDM-RX management access to a single engineering host
# Replace 10.10.50.10 with the engineering workstation IP and 10.20.0.0/24 with the OT gateway subnet
iptables -A FORWARD -p tcp -s 10.10.50.10 -d 10.20.0.0/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.20.0.0/24 --dport 80 -j DROP
iptables -A FORWARD -p tcp -s 10.10.50.10 -d 10.20.0.0/24 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.20.0.0/24 --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne