CVE-2024-33894 – Cosy+ industrial remote access gateways running... (How to Fix)

Q: What is the severity of CVE-2024-33894?

CVE-2024-33894 has a CVSS score of 8.8 (HIGH). Cosy+ industrial remote access gateways running vulnerable firmware versions execute multiple processes with excessive privileges, allowing attackers to escalate privileges and potentially gain full system control. This affects organizations using Cosy+ devices for industrial network connectivity with firmware versions 21.x below 21.2s10 or 22.x below 22.1s3.

📋 TL;DR

Cosy+ industrial remote access gateways running vulnerable firmware versions execute multiple processes with excessive privileges, allowing attackers to escalate privileges and potentially gain full system control. This affects organizations using Cosy+ devices for industrial network connectivity with firmware versions 21.x below 21.2s10 or 22.x below 22.1s3.

💻 Affected Systems

Products:

Ewon Cosy+ industrial remote access gateways

Versions: Firmware 21.x below 21.2s10 or firmware 22.x below 22.1s3

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All Cosy+ devices running affected firmware versions are vulnerable regardless of configuration.

📦 What is this software?

Ewon Cosy\+ Firmware by Hms Networks

View all CVEs affecting Ewon Cosy\+ Firmware →

Ewon Cosy\+ Firmware by Hms Networks

View all CVEs affecting Ewon Cosy\+ Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Cosy+ device leading to lateral movement into industrial control systems, data exfiltration, or disruption of industrial operations.

🟠

Likely Case

Privilege escalation allowing attackers to execute arbitrary code, modify device configuration, or establish persistent access to industrial networks.

🟢

If Mitigated

Limited impact if devices are isolated from internet and internal networks have strict segmentation with proper access controls.

🌐 Internet-Facing: HIGH - Cosy+ devices are often deployed as internet-facing remote access gateways, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Even internally deployed devices could be compromised through phishing or other initial access vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires initial access to the device (typically via web interface or SSH), after which privilege escalation is straightforward. Technical details and proof-of-concept code are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware 21.2s10 or 22.1s3 and later

Vendor Advisory: https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf

Restart Required: Yes

Instructions:

1. Download latest firmware from HMS Networks/Ewon support portal. 2. Backup current configuration. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot device. 6. Restore configuration if needed.

🔧 Temporary Workarounds

Network isolation

all

Isolate Cosy+ devices from internet and restrict network access to only necessary systems

Access control hardening

all

Implement strict authentication policies, disable unnecessary services, and use VPN for remote access instead of direct device exposure

🧯 If You Can't Patch

Implement network segmentation to isolate Cosy+ devices from critical industrial systems
Deploy intrusion detection systems to monitor for privilege escalation attempts and unusual process behavior

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > About) or SSH connection and compare against vulnerable versions

Check Version:

ssh admin@device_ip 'cat /etc/version' or check web interface System > About page

Verify Fix Applied:

Confirm firmware version is 21.2s10 or higher for 21.x branch, or 22.1s3 or higher for 22.x branch

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts
Multiple processes running with root privileges
Unauthorized configuration changes

Network Indicators:

Unexpected outbound connections from Cosy+ devices
Unusual SSH or web interface access patterns

SIEM Query:

source="cosy+_logs" AND (event_type="privilege_escalation" OR process_name="unexpected_process" running_as="root")

📊 Metadata

CVE ID: CVE-2024-33894

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: August 2, 2024

Last Updated: June 20, 2025

🔗 References

https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ Exploit,Third Party Advisory
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf Vendor Advisory
https://www.ewon.biz/products/cosy/ewon-cosy-wifi Product
https://www.hms-networks.com/cyber-security Vendor Advisory
http://seclists.org/fulldisclosure/2024/Aug/23 Exploit,Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33894, you might also want to check these: