CVE-2024-6242 Overview
CVE-2024-6242 is a security boundary bypass vulnerability affecting Rockwell Automation ControlLogix® 1756 chassis controllers. The flaw allows a threat actor to circumvent the Trusted® Slot feature, which is designed to enforce trust boundaries between modules in the chassis. An attacker who exploits this weakness on any affected module within a 1756 chassis can send Common Industrial Protocol (CIP) commands that modify user projects or device configuration on Logix controllers. The vulnerability is tracked under CWE-420: Unprotected Alternate Channel and impacts the integrity and availability of industrial control system (ICS) operations.
Critical Impact
Threat actors with network access and low privileges can bypass chassis trust boundaries to manipulate Logix controller programs and configuration, threatening physical process integrity.
Affected Products
- Rockwell Automation ControlLogix® 1756 chassis controllers
- Logix controllers reachable through modules in a 1756 chassis
- Modules implementing the Trusted® Slot feature
Discovery Timeline
- 2024-08-01 - CVE-2024-6242 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-6242
Vulnerability Analysis
The Trusted® Slot feature in ControlLogix 1756 chassis is intended to enforce a trust boundary, allowing only designated slots to issue privileged CIP commands to Logix controllers. CVE-2024-6242 breaks that boundary. A threat actor with network access to a vulnerable module in the chassis can send CIP traffic that the controller treats as originating from a trusted slot. As a result, the attacker can modify user projects, alter device configuration, and influence the controller's operational state. The flaw affects systems where multiple modules share a backplane, expanding the blast radius of a single compromised module across the entire chassis.
Root Cause
The vulnerability stems from an unprotected alternate channel (CWE-420) in how CIP traffic is validated against the Trusted® Slot policy. The slot-based trust check can be bypassed, allowing CIP commands from non-trusted sources to reach the Logix controller as if they were authorized. Authorization decisions rely on routing metadata that an attacker can influence, rather than on a cryptographically enforced trust boundary.
Attack Vector
Exploitation requires network reachability to a module in the 1756 chassis and low-level privileges on that module. No user interaction is required. After establishing a CIP session, the attacker issues commands that should be restricted to the trusted slot, such as project download, controller mode changes, or tag value modification. The vulnerability mechanism is described in the Rockwell Automation Security Advisory SD1682; no public proof-of-concept code has been released.
Detection Methods for CVE-2024-6242
Indicators of Compromise
- Unexpected CIP write or configuration commands directed at Logix controllers from non-engineering modules
- Unscheduled project downloads, controller mode transitions, or tag modifications on ControlLogix devices
- New or anomalous CIP sessions originating from modules that should not communicate with the controller slot
Detection Strategies
- Inspect CIP traffic on the OT network with a protocol-aware IDS to flag privileged service codes (e.g., 0x4F, 0x53) reaching the controller from unauthorized sources
- Correlate Logix controller audit logs with module-level activity to identify command flows that bypass the Trusted® Slot policy
- Baseline normal CIP message patterns per slot and alert on deviations
Monitoring Recommendations
- Forward chassis and controller logs to a centralized SIEM for long-term retention and correlation across IT and OT
- Monitor changes to controller project checksums, firmware versions, and run/program mode states
- Track east-west traffic between chassis modules and adjacent engineering workstations
How to Mitigate CVE-2024-6242
Immediate Actions Required
- Apply the firmware updates referenced in Rockwell Automation Security Advisory SD1682 to all affected 1756 modules
- Restrict network access to the 1756 chassis to authorized engineering workstations and jump hosts only
- Audit existing chassis configurations and remove any unused or untrusted modules
Patch Information
Rockwell Automation has published fixed firmware versions in advisory SD1682. Operators should consult the advisory for the specific module and controller versions that remediate CVE-2024-6242 and schedule maintenance windows to apply updates across all affected chassis.
Workarounds
- Segment OT networks so that CIP traffic cannot traverse from enterprise zones to the 1756 chassis
- Place ControlLogix controllers behind a properly configured CIP-aware firewall such as a 1756-EN4TR or equivalent boundary device
- Set controller keyswitches to RUN where operationally feasible to prevent project modification
- Enable and monitor Logix controller change detection and audit logging
# Configuration example: restrict CIP access to engineering subnet only
# (vendor-neutral firewall pseudo-rules for the OT boundary)
allow tcp from 10.10.20.0/24 to 10.20.30.10 port 44818
allow udp from 10.10.20.0/24 to 10.20.30.10 port 2222
deny tcp from any to 10.20.30.10 port 44818
deny udp from any to 10.20.30.10 port 2222
log all denied cip
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
