CVE-2024-50359
📋 TL;DR
This OS command injection vulnerability in Advantech EKI series industrial switches allows attackers to execute arbitrary commands on affected devices by sending specially crafted requests to the 'scan_ap' API. Attackers could gain full control of the device, potentially compromising industrial networks. Organizations using affected Advantech EKI-6333AC series switches are at risk.
💻 Affected Systems
- Advantech EKI-6333AC-2G
- Advantech EKI-6333AC-2GD
- Advantech EKI-6333AC-1GPO
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover leading to lateral movement within industrial networks, disruption of industrial processes, data exfiltration, or deployment of ransomware.
Likely Case
Unauthorized command execution allowing network reconnaissance, credential harvesting, or installation of backdoors for persistent access.
If Mitigated
Limited impact with proper network segmentation and access controls preventing exploitation attempts from reaching vulnerable devices.
🎯 Exploit Status
The vulnerability is in an API endpoint that may be accessible without authentication depending on device configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Advantech security advisory for specific fixed versions
Vendor Advisory: https://www.advantech.com/support
Restart Required: Yes
Instructions:
1. Check current firmware version. 2. Download latest firmware from Advantech support portal. 3. Upload firmware via web interface. 4. Reboot device after update.
🔧 Temporary Workarounds
Disable web management interface
allDisable HTTP/HTTPS management interface if not required
Configure via CLI: no ip http server
Configure via CLI: no ip http secure-server
Restrict network access
linuxImplement firewall rules to restrict access to management interfaces
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Segment affected devices in isolated VLAN with strict access controls
- Implement network monitoring for unusual API requests to scan_ap endpoint
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or CLI command 'show version'Check Version:
show versionVerify Fix Applied:
Verify firmware version is above vulnerable versions and test API endpoint with sanitized input📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /scan_ap endpoint
- Multiple failed authentication attempts followed by scan_ap requests
- System logs showing unexpected command execution
Network Indicators:
- Unusual outbound connections from industrial switches
- Traffic to scan_ap endpoint with special characters in parameters
SIEM Query:
source="switch_logs" AND (uri="/scan_ap" OR cmd="scan_ap") AND (param="*;*" OR param="*|*" OR param="*`*")