CVE-2024-39675
📋 TL;DR
This vulnerability in Siemens RUGGEDCOM industrial networking devices incorrectly enables the Modbus service in non-managed VLANs, potentially exposing serial communication interfaces to unauthorized network access. It affects multiple RUGGEDCOM switch and router models running outdated firmware versions. Only serial devices connected to these products are vulnerable.
💻 Affected Systems
- RUGGEDCOM RMC30
- RUGGEDCOM RMC30NC
- RUGGEDCOM RP110
- RUGGEDCOM RP110NC
- RUGGEDCOM RS400
- RUGGEDCOM RS400NC
- RUGGEDCOM RS401
- RUGGEDCOM RS401NC
- RUGGEDCOM RS416
- RUGGEDCOM RS416NC
- RUGGEDCOM RS416NCv2
- RUGGEDCOM RS416P
- RUGGEDCOM RS416PNC
- RUGGEDCOM RS416PNCv2
- RUGGEDCOM RS416Pv2
- RUGGEDCOM RS416v2
- RUGGEDCOM RS910
- RUGGEDCOM RS910L
- RUGGEDCOM RS910LNC
- RUGGEDCOM RS910NC
- RUGGEDCOM RS910W
- RUGGEDCOM RS920L
- RUGGEDCOM RS920LNC
- RUGGEDCOM RS920W
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain unauthorized access to industrial serial devices via Modbus protocol, potentially allowing manipulation of industrial processes, data exfiltration, or disruption of critical infrastructure operations.
Likely Case
Unauthorized network access to serial devices through exposed Modbus interfaces, potentially enabling reconnaissance, data monitoring, or limited manipulation of industrial equipment.
If Mitigated
With proper network segmentation and access controls, the risk is limited to internal network segments where attackers would need additional access.
🎯 Exploit Status
Exploitation requires network access to affected VLANs. No authentication needed for Modbus service access once exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V4.3.10 for V4.X devices, V5.9.0 for V5.X devices
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-170375.html
Restart Required: Yes
Instructions:
1. Download firmware update from Siemens support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot device. 5. Verify firmware version and configuration.
🔧 Temporary Workarounds
Disable Modbus in non-managed VLANs
allManually configure VLAN settings to ensure Modbus service is only enabled in properly managed VLANs
configure terminal
interface vlan [vlan-id]
no modbus enable
end
write memory
Implement network segmentation
allIsolate affected devices and serial networks from general corporate networks using firewalls and VLAN segmentation
🧯 If You Can't Patch
- Implement strict network access controls to limit access to affected VLANs
- Monitor network traffic for unauthorized Modbus protocol access attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or CLI using 'show version' command and compare against patched versionsCheck Version:
show versionVerify Fix Applied:
Verify firmware version is V4.3.10 or higher for V4.X devices, or V5.9.0 or higher for V5.X devices📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Modbus service
- Modbus protocol traffic from unexpected network segments
- Configuration changes to VLAN or Modbus settings
Network Indicators:
- Modbus TCP traffic (port 502) from unauthorized network segments
- Unexpected serial device communication patterns
SIEM Query:
source_ip IN (industrial_network_subnets) AND dest_port=502 AND protocol=TCP