CVE-2024-33893 – Cosy+ industrial remote access gateways running... (How to Fix)

Q: What is the severity of CVE-2024-33893?

CVE-2024-33893 has a CVSS score of 6.1 (MEDIUM). Cosy+ industrial remote access gateways running vulnerable firmware versions are susceptible to cross-site scripting (XSS) attacks when displaying logs due to improper input sanitization. This allows attackers to inject malicious scripts that execute in the context of legitimate users' browsers. Organizations using affected Cosy+ devices for industrial control system remote access are impacted.

📋 TL;DR

Cosy+ industrial remote access gateways running vulnerable firmware versions are susceptible to cross-site scripting (XSS) attacks when displaying logs due to improper input sanitization. This allows attackers to inject malicious scripts that execute in the context of legitimate users' browsers. Organizations using affected Cosy+ devices for industrial control system remote access are impacted.

💻 Affected Systems

Products:

Ewon Cosy+ industrial remote access gateways

Versions: Firmware 21.x below 21.2s10, Firmware 22.x below 22.1s3

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All Cosy+ devices running affected firmware versions are vulnerable when logs are displayed through the web interface.

📦 What is this software?

Ewon Cosy\+ Firmware by Hms Networks

View all CVEs affecting Ewon Cosy\+ Firmware →

Ewon Cosy\+ Firmware by Hms Networks

View all CVEs affecting Ewon Cosy\+ Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack sessions, redirect users to malicious sites, or perform actions on the device with the victim's privileges, potentially compromising industrial control systems.

🟠

Likely Case

Attackers inject malicious scripts to steal session cookies or credentials, enabling unauthorized access to the Cosy+ device management interface.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the management interface of the affected device only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have access to inject malicious content into logs or trick users into viewing crafted log entries. Detailed technical analysis is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.2s10 or 22.1s3

Vendor Advisory: https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from HMS Networks/Ewon support portal. 2. Backup device configuration. 3. Upload firmware via web interface. 4. Apply update and restart device. 5. Verify firmware version after reboot.

🔧 Temporary Workarounds

Restrict access to management interface

all

Limit access to Cosy+ web interface to trusted IP addresses only using firewall rules.

Disable unnecessary log viewing

all

Restrict user permissions to prevent access to log viewing functionality if not required.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Cosy+ devices from untrusted networks
Deploy web application firewall (WAF) with XSS protection rules in front of Cosy+ management interface

🔍 How to Verify

Check if Vulnerable:

Access Cosy+ web interface, navigate to System > About, check firmware version against affected ranges.

Check Version:

No CLI command available. Check via web interface at System > About page.

Verify Fix Applied:

After updating, verify firmware version shows 21.2s10 or higher for 21.x branch, or 22.1s3 or higher for 22.x branch.

📡 Detection & Monitoring

Log Indicators:

Unusual log entries containing script tags or JavaScript code
Multiple failed login attempts followed by successful login from new IP

Network Indicators:

HTTP requests to Cosy+ interface containing script injection patterns
Outbound connections from Cosy+ device to unexpected external domains

SIEM Query:

source="cosy_logs" AND (message="<script" OR message="javascript:" OR message="onerror=" OR message="onload=")

📊 Metadata

CVE ID: CVE-2024-33893

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 2, 2024

Last Updated: November 4, 2025

🔗 References

https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ Exploit,Third Party Advisory
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf Vendor Advisory
https://www.ewon.biz/products/cosy/ewon-cosy-wifi Product
https://www.hms-networks.com/cyber-security VDB Entry,Vendor Advisory
http://seclists.org/fulldisclosure/2024/Aug/19
http://seclists.org/fulldisclosure/2024/Aug/22

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33893, you might also want to check these: