CVE-2024-50367
📋 TL;DR
This OS command injection vulnerability in Advantech EKI-6333 series industrial switches allows attackers to execute arbitrary commands on affected devices by sending specially crafted requests to the sta_log_htm API. Attackers can gain full control of the device, potentially compromising industrial networks. Organizations using these specific Advantech switch models with vulnerable firmware versions are affected.
💻 Affected Systems
- Advantech EKI-6333AC-2G
- Advantech EKI-6333AC-2GD
- Advantech EKI-6333AC-1GPO
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover leading to lateral movement within industrial networks, disruption of industrial processes, data exfiltration, or deployment of ransomware in critical infrastructure environments.
Likely Case
Unauthorized access to device configuration, network reconnaissance, credential harvesting, and potential disruption of network connectivity for connected industrial equipment.
If Mitigated
Limited impact if devices are properly segmented, API access is restricted, and network monitoring detects anomalous traffic patterns.
🎯 Exploit Status
The vulnerability requires network access to the device's web interface but does not require authentication based on the CWE-78 classification and API exposure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Advantech security advisory for specific patched versions
Vendor Advisory: https://www.advantech.com/support
Restart Required: Yes
Instructions:
1. Check current firmware version using web interface or CLI. 2. Download latest firmware from Advantech support portal. 3. Backup device configuration. 4. Upload and apply firmware update via web interface. 5. Reboot device. 6. Verify firmware version post-update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected switches from untrusted networks and restrict access to management interfaces
Access Control Lists
allImplement firewall rules to restrict access to the device's web management interface (typically port 80/443)
🧯 If You Can't Patch
- Disable web management interface if not required for operations
- Implement strict network segmentation to limit device exposure to only trusted management stations
🔍 How to Verify
Check if Vulnerable:
Access device web interface, navigate to System Information page and check firmware version against affected versions list.Check Version:
ssh admin@device_ip show version or check via web interface at System > InformationVerify Fix Applied:
After patching, verify firmware version is above vulnerable versions: EKI-6333AC-2G > 1.6.3, EKI-6333AC-2GD > 1.6.3, EKI-6333AC-1GPO > 1.2.1📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to /sta_log_htm endpoint
- Multiple failed authentication attempts followed by successful API access
- Unexpected system command execution logs
Network Indicators:
- Unusual outbound connections from industrial switches
- HTTP requests with shell metacharacters in parameters
- Traffic to unexpected ports from switch management IP
SIEM Query:
source="switch_logs" AND (uri_path="/sta_log_htm" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*)")