CVE-2024-50361
📋 TL;DR
This OS command injection vulnerability in Advantech EKI-6333 series industrial switches allows attackers to execute arbitrary commands on affected devices by exploiting unsanitized parameters in the certificate_file_remove API. Successful exploitation could lead to complete device compromise, data theft, or network disruption. Organizations using these specific Advantech switch models with vulnerable firmware versions are affected.
💻 Affected Systems
- Advantech EKI-6333AC-2G
- Advantech EKI-6333AC-2GD
- Advantech EKI-6333AC-1GPO
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise leading to persistent backdoor installation, lateral movement within industrial networks, manipulation of network traffic, and potential physical safety risks in industrial environments.
Likely Case
Unauthorized command execution leading to device configuration changes, service disruption, credential theft, and potential use as pivot point for further network attacks.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring preventing successful exploitation attempts.
🎯 Exploit Status
Exploitation requires authentication to the web interface. The vulnerability is in a specific API endpoint with unsanitized parameters that get passed to system commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Advantech security advisory for specific patched versions
Vendor Advisory: https://www.advantech.com/support
Restart Required: Yes
Instructions:
1. Check current firmware version. 2. Download latest firmware from Advantech support portal. 3. Backup device configuration. 4. Upload and apply firmware update via web interface. 5. Verify update successful and restore configuration if needed.
🔧 Temporary Workarounds
Disable Web Interface
allDisable the web management interface if not required for operations
Use CLI: configure terminal
no ip http server
end
write memory
Restrict Network Access
allImplement strict network access controls to limit who can reach the management interface
Use ACLs: access-list 100 permit ip [trusted-networks] any
interface vlan 1
ip access-group 100 in
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from untrusted networks
- Enable detailed logging and monitoring for suspicious API calls to certificate_file_remove endpoint
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > System Information) or CLI (show version). Compare against vulnerable versions listed in affected systems.Check Version:
show version (CLI) or check System Information in web interfaceVerify Fix Applied:
Verify firmware version is above vulnerable versions. Test certificate_file_remove functionality with controlled inputs to ensure proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual certificate_file_remove API calls
- Multiple failed authentication attempts followed by successful login
- Suspicious command execution in system logs
Network Indicators:
- Unusual traffic patterns from switch management IP
- Unexpected outbound connections from switch
- HTTP requests to certificate_file_remove endpoint with unusual parameters
SIEM Query:
source="switch-logs" AND ("certificate_file_remove" OR "os command injection" OR suspicious parameters in API calls)