CVE-2024-9409 Overview
CVE-2024-9409 affects Schneider Electric PowerLogic PM5320, PM5340, and PM5341 power meters. The flaw is an uncontrolled resource consumption issue [CWE-400] triggered by a high volume of Internet Group Management Protocol (IGMP) packets on the network. When the device processes this traffic, it becomes unresponsive and loses network communication. The vulnerability is exploitable over the network without authentication or user interaction. Schneider Electric published advisory SEVD-2024-317-01 on November 13, 2024.
Critical Impact
Unauthenticated network attackers can cause PowerLogic PM53xx meters to stop responding, disrupting power monitoring and downstream operational technology (OT) workflows.
Affected Products
- Schneider Electric PowerLogic PM5320 (firmware)
- Schneider Electric PowerLogic PM5340 (firmware)
- Schneider Electric PowerLogic PM5341 (firmware)
Discovery Timeline
- 2024-11-13 - CVE-2024-9409 published to the National Vulnerability Database
- 2024-11-13 - Schneider Electric publishes advisory SEVD-2024-317-01
- 2024-11-19 - Last updated in NVD database
Technical Details for CVE-2024-9409
Vulnerability Analysis
The PowerLogic PM5320, PM5340, and PM5341 are networked power meters used in industrial and commercial electrical monitoring. The devices participate in IPv4 multicast group management through IGMP. The firmware does not adequately bound the resources consumed while parsing and tracking inbound IGMP messages. A sustained burst of IGMP traffic exhausts processing capacity on the embedded network stack. The device then stops responding to legitimate Modbus/TCP, web, and management traffic, breaking communication with supervisory control and data acquisition (SCADA) systems.
Root Cause
The root cause is classified as CWE-400: Uncontrolled Resource Consumption. The firmware lacks rate limiting or fair queuing for IGMP membership reports, queries, and leave messages. Each packet consumes CPU cycles and memory in the protocol handler without the device shedding load when buffers fill.
Attack Vector
An attacker on the same Layer 2 or Layer 3 broadcast/multicast domain as the meter floods the network segment with IGMP packets. No credentials, prior access, or user interaction are required. The result is a denial-of-service condition limited to availability — confidentiality and integrity of meter data are not directly impacted, but loss of telemetry can cascade into operational impact for industrial control system (ICS) operators. The EPSS score is 0.271% (50.69 percentile) as of June 2025.
No public proof-of-concept code or in-the-wild exploitation has been reported. Refer to the Schneider Electric Security Advisory SEVD-2024-317-01 for vendor technical details.
Detection Methods for CVE-2024-9409
Indicators of Compromise
- Sudden loss of Modbus/TCP polling responses or HTTP management connectivity from PM5320, PM5340, or PM5341 meters.
- Spike in IGMPv2 or IGMPv3 packet rates on VLANs hosting PowerLogic meters, especially membership reports and queries from unexpected sources.
- Switch port counters showing elevated multicast traffic toward meter MAC addresses.
- SCADA historian gaps correlated with network anomalies on OT segments.
Detection Strategies
- Deploy ICS-aware network intrusion detection signatures that alarm on IGMP packet rates exceeding baseline thresholds per VLAN.
- Use passive OT monitoring tools to baseline IGMP traffic from PowerLogic devices and alert on deviations.
- Correlate device unreachability events from polling engines with packet capture data on affected segments.
Monitoring Recommendations
- Enable IGMP snooping statistics on managed switches and forward syslog to a central collector for threshold alerting.
- Monitor SNMP availability of PM53xx meters and trigger investigation on consecutive timeouts.
- Capture full packets at OT/IT boundary firewalls for forensic review when meter communication loss occurs.
How to Mitigate CVE-2024-9409
Immediate Actions Required
- Inventory all PowerLogic PM5320, PM5340, and PM5341 meters and confirm firmware versions against SEVD-2024-317-01.
- Isolate affected meters on dedicated VLANs with strict ingress filtering from corporate or untrusted networks.
- Apply the remediation or mitigation steps published by Schneider Electric in the vendor advisory.
Patch Information
Schneider Electric documents the affected versions and remediation guidance in advisory SEVD-2024-317-01. Operators should follow the firmware update or compensating control instructions provided by the vendor and validate the change in a maintenance window, as PowerLogic meters are often deployed in production electrical monitoring roles.
Workarounds
- Enable IGMP snooping on switches serving PowerLogic meters to constrain multicast flooding.
- Implement storm control or multicast rate limiting on switch ports facing meters to cap IGMP packet rates.
- Restrict Layer 3 reachability to meter management interfaces using firewall access control lists between IT and OT zones.
- Place meters behind an ICS-aware firewall that filters non-essential multicast traffic and enforces protocol allow-lists.
# Example: Cisco IOS interface configuration to rate-limit multicast and enable IGMP snooping
interface GigabitEthernet0/5
description PowerLogic PM5340 meter
switchport mode access
switchport access vlan 120
storm-control multicast level 1.00
storm-control action shutdown
!
ip igmp snooping
ip igmp snooping vlan 120
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
