CVE-2024-39840

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows a malicious Factorio server to execute arbitrary code on connecting clients through specially crafted custom maps. Attackers can exploit Lua base module functions to execute bytecode and create fake objects, leading to remote code execution. All Factorio clients connecting to untrusted servers are affected.

💻 Affected Systems

Products:

• Factorio

Versions: All versions before 1.1.101

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects the game client when connecting to servers. Single-player mode is not affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of client systems with attacker gaining full control, data theft, and lateral movement capabilities.

🟠

Likely Case

Attackers create malicious servers to compromise players' systems, potentially stealing credentials, installing malware, or using systems for cryptocurrency mining.

🟢

If Mitigated

Limited impact if clients only connect to trusted servers and have network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH - Attackers can host malicious servers on the internet to target any connecting Factorio client.

🏢 Internal Only: MEDIUM - Risk exists if internal users connect to untrusted servers, but attack surface is smaller than internet-facing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires creating a malicious server with custom map. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.101

Vendor Advisory: https://factorio.com/blog/post/fff-400

Restart Required: Yes

Instructions:

1. Launch Factorio game client. 2. Check for updates in the game launcher. 3. Update to version 1.1.101 or later. 4. Restart the game client.

🔧 Temporary Workarounds

Restrict Server Connections

all

Only connect to trusted Factorio servers from known sources. Avoid joining random public servers.

Network Segmentation

all

Isolate gaming systems from critical network segments to limit lateral movement if compromised.

🧯 If You Can't Patch

• Disable multiplayer functionality and only play single-player mode
• Use network firewalls to block outgoing connections to Factorio servers (default port 34197)

🔍 How to Verify

Check if Vulnerable:

Copy

Check Factorio version in game launcher or main menu. If version is below 1.1.101, system is vulnerable.

Check Version:

Copy

On Windows: Check game launcher or Factorio.exe properties. On Linux: factorio --version

Verify Fix Applied:

Copy

Confirm version is 1.1.101 or higher in game launcher or main menu.

📡 Detection & Monitoring

Log Indicators:

• Unusual Lua bytecode execution in game logs
• Connection attempts to unknown Factorio servers

Network Indicators:

• Outbound connections to Factorio servers on port 34197 from unexpected systems
• Large or unusual data transfers during game sessions

SIEM Query:

Copy

source="factorio.log" AND ("bytecode" OR "custom map" OR "Lua execution")

📊 Metadata

CVE ID: CVE-2024-39840

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 29, 2024

Last Updated: November 21, 2024

🔗 References

• https://memorycorruption.net/posts/rce-lua-factorio/
• https://news.ycombinator.com/item?id=40830005
• https://memorycorruption.net/posts/rce-lua-factorio/
• https://news.ycombinator.com/item?id=40830005

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39840, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)

CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)

CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)