Login Sign Up

CVE-2017-11349

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2017-11349 allows remote attackers to compose and execute programs or schedules on dataTaker DT8x dEX devices, enabling actions like sending unauthorized emails or making outbound FTP connections. This affects organizations using vulnerable versions of these industrial data loggers for environmental monitoring or industrial control systems.

💻 Affected Systems

Products:
  • Thermo Fisher Scientific dataTaker DT8x dEX
Versions: Version 1.72.007 and likely earlier versions
Operating Systems: Embedded/Proprietary
Default Config Vulnerable: ⚠️ Yes
Notes: Devices with network connectivity are vulnerable; serial-only connections may be safer.

📦 What is this software?

Dt8x Firmware by Datataker

View all CVEs affecting Dt8x Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could use the device as a pivot point to access internal networks, exfiltrate sensitive data via FTP/email, or disrupt industrial processes by modifying data collection schedules.

🟠

Likely Case

Unauthorized data exfiltration from the device or using it as a spam/relay node for malicious communications.

🟢

If Mitigated

Limited impact if device is isolated in a segmented network with strict outbound firewall rules.

🌐 Internet-Facing: HIGH - Directly exposed devices can be fully compromised remotely without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to pivot within networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept demonstrates remote program composition via HTTP requests; no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No public vendor advisory found

Restart Required: No

Instructions:

Contact Thermo Fisher Scientific for updated firmware or mitigation guidance.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate dataTaker devices in separate VLANs with strict firewall rules blocking all inbound/outbound traffic except essential protocols.

Disable Remote Management

all

Configure devices to only allow local serial connections if remote access isn't required.

🧯 If You Can't Patch

  • Implement strict network access controls allowing only trusted IPs to communicate with the device
  • Monitor outbound connections from the device for unexpected FTP/email traffic

🔍 How to Verify

Check if Vulnerable:

Check device web interface version or attempt to access program composition features remotely via HTTP.

Check Version:

Check device web interface or serial console for firmware version information

Verify Fix Applied:

Verify device firmware version is newer than 1.72.007 or test that remote program composition is no longer possible.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected program/schedule creation logs
  • Unauthorized FTP/email connection attempts from device

Network Indicators:

  • HTTP POST requests to device program composition endpoints
  • Unexpected outbound FTP/SMTP traffic from device IP

SIEM Query:

source_ip=[device_ip] AND (http_method=POST AND uri_contains="program" OR dest_port IN (21,25,587))

📊 Metadata

CVE ID: CVE-2017-11349
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-522
Published: July 17, 2017
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-11349, you might also want to check these:

CVE-2024-51545 10.0

This CVE describes a username enumeration vulnerability in ABB industrial control system products th...

Same vulnerability type (CWE-522)
CVE-2021-30116 10.0

CVE-2021-30116 is an authentication bypass vulnerability in Kaseya VSA that allows unauthenticated a...

Same vulnerability type (CWE-522)
CVE-2025-0867 9.9

This vulnerability allows standard users to execute commands with administrative privileges through ...

Same vulnerability type (CWE-522)