CVE-2024-6421 Overview
CVE-2024-6421 affects multiple Pepperl+Fuchs OIT-series optical identification sensors. An unauthenticated remote attacker can read sensitive device information through an incorrectly configured File Transfer Protocol (FTP) service exposed by the affected firmware. The flaw is categorized as Files or Directories Accessible to External Parties [CWE-552]. Because the FTP service exposes data without requiring credentials, attackers with network reachability can retrieve configuration and operational data from industrial devices used in production environments.
Critical Impact
Unauthenticated network attackers can exfiltrate sensitive device information from affected Pepperl+Fuchs OIT sensors over FTP, enabling reconnaissance for follow-on attacks against operational technology environments.
Affected Products
- Pepperl+Fuchs OIT200-F113-B12-CB and its firmware
- Pepperl+Fuchs OIT500-F113-B12-CB and its firmware
- Pepperl+Fuchs OIT700-F113-B12-CB and OIT1500-F113-B12-CB and their firmware
Discovery Timeline
- 2024-07-10 - CVE-2024-6421 published to the National Vulnerability Database (NVD)
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2024-6421
Vulnerability Analysis
The affected Pepperl+Fuchs OIT optical identification sensors ship with an FTP service whose configuration permits unauthenticated read access. The vulnerability is an information disclosure issue mapped to [CWE-552], where files or directories on the device are accessible to external parties without proper access controls. Attackers who can reach the device on its FTP port can enumerate and download files containing device configuration, operational parameters, and other sensitive content.
No user interaction or prior authentication is required, and exploitation does not affect system integrity or availability directly. However, the disclosed data can support reconnaissance, fingerprinting, and the development of follow-on attacks against the surrounding industrial control system (ICS) network.
Root Cause
The root cause is an insecure default or misconfiguration of the FTP service embedded in the OIT-series firmware. The service permits anonymous or unauthenticated sessions and exposes file system locations that should be access-restricted. According to the VDE Security Advisory VDE-2024-038, the issue stems from how the FTP server permissions are provisioned in the firmware build.
Attack Vector
Exploitation requires only network reachability to the FTP port on the affected device. An attacker connects to the FTP service, authenticates anonymously or with default credentials accepted by the misconfigured service, and lists or retrieves files containing sensitive device data. In typical operational technology deployments, where OIT sensors are connected to plant networks, an attacker with a foothold on the network segment can perform the disclosure without leaving conventional authentication traces. No proof-of-concept exploit code is publicly listed, and the issue is not present in CISA's Known Exploited Vulnerabilities catalog.
No verified exploit code is available for CVE-2024-6421. See the VDE Security Advisory VDE-2024-038 for vendor-provided technical details.
Detection Methods for CVE-2024-6421
Indicators of Compromise
- Anonymous or unauthenticated FTP login events on TCP port 21 directed at Pepperl+Fuchs OIT-series devices
- Outbound transfers of configuration or device data files originating from OIT sensor IP addresses
- Repeated LIST, RETR, or NLST FTP commands from external or unmanaged hosts to OT-segment devices
Detection Strategies
- Inspect network flow records and packet captures for FTP sessions targeting OIT sensor IP ranges, especially sessions that succeed without an AUTH exchange
- Correlate FTP access patterns with asset inventory to identify connections from hosts that have no legitimate maintenance role
- Apply intrusion detection signatures that alert on anonymous FTP logins to industrial endpoints
Monitoring Recommendations
- Forward firewall and switch logs from OT network segments to a centralized analytics platform for longitudinal review of FTP activity
- Enable continuous asset discovery to identify any OIT device exposing TCP port 21 to broader network zones
- Baseline normal engineering workstation activity against affected sensors and alert on deviations
How to Mitigate CVE-2024-6421
Immediate Actions Required
- Identify all Pepperl+Fuchs OIT200, OIT500, OIT700, and OIT1500 devices in the environment and verify firmware versions
- Restrict network access to the FTP service through firewall rules or access control lists so that only authorized engineering hosts can reach TCP port 21
- Place affected devices inside a dedicated OT network segment isolated from corporate IT and untrusted networks
Patch Information
Refer to the VDE Security Advisory VDE-2024-038 for vendor-provided remediation guidance and any firmware updates published by Pepperl+Fuchs. Apply remediation in accordance with the vendor advisory and validate the fix in a test environment prior to production rollout.
Workarounds
- Disable the FTP service on affected devices if it is not required for operations
- Enforce network segmentation and deny inbound FTP traffic to OIT sensors at the perimeter and between zones
- Monitor FTP traffic to and from affected devices and block anonymous logins at the network layer where possible
# Example firewall rule to restrict FTP access to authorized engineering host only
iptables -A INPUT -p tcp --dport 21 -s <engineering_host_ip> -d <oit_device_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -d <oit_device_ip> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
