CVE-2024-36080
📋 TL;DR
Westermo EDW-100 serial-to-Ethernet converters have a hidden root account with an unchangeable hardcoded password, allowing attackers to gain full administrative control. This affects all EDW-100 devices manufactured through May 3, 2024. The vendor notes these devices should not be placed at network edges due to this vulnerability.
💻 Affected Systems
- Westermo EDW-100
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to intercept/modify serial communications, pivot to other network systems, or disable the device entirely.
Likely Case
Unauthorized administrative access leading to data interception, configuration changes, or device disruption.
If Mitigated
Limited impact if device is properly segmented and isolated from critical systems.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded credentials, which may be discovered through reverse engineering or information disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates after 2024-05-03
Vendor Advisory: https://www.westermo.com/-/media/Files/Cyber-security/westermo_sa_EDW-100_24-05.pdf
Restart Required: Yes
Instructions:
1. Download latest firmware from Westermo support portal. 2. Upload firmware via web interface or CLI. 3. Reboot device to apply update.
🔧 Temporary Workarounds
Network segmentation
allIsolate EDW-100 devices in separate VLANs with strict firewall rules
Access control lists
allImplement IP-based restrictions to limit administrative access
🧯 If You Can't Patch
- Physically isolate devices from internet and critical network segments
- Implement network monitoring for authentication attempts to the hidden account
🔍 How to Verify
Check if Vulnerable:
Check device manufacturing date or firmware version. Devices manufactured before May 4, 2024 are vulnerable.Check Version:
Check via web interface or CLI: show versionVerify Fix Applied:
Verify firmware version is post-2024-05-03 update and attempt to authenticate with known hardcoded credentials (should fail).📡 Detection & Monitoring
Log Indicators:
- Authentication attempts to root account
- Unexpected configuration changes
- Serial communication anomalies
Network Indicators:
- Unexpected administrative access from unauthorized IPs
- Anomalous traffic patterns from EDW-100 devices
SIEM Query:
source="EDW-100" AND (event_type="authentication" AND user="root")