CVE-2024-50954
📋 TL;DR
A vulnerability in XINJE XL5E-16T and XD5E-24R-E programmable logic controllers allows attackers to crash the PLC by sending specific Modbus messages over TCP. This causes program interruption, ERR light activation, and RUN light deactivation. Organizations using these specific PLC models in industrial control systems are affected.
💻 Affected Systems
- XINJE XL5E-16T
- XINJE XD5E-24R-E
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of industrial processes controlled by the PLC, potentially causing production downtime, equipment damage, or safety incidents in critical infrastructure.
Likely Case
Temporary disruption of PLC operations requiring manual restart and potential loss of process data or control until recovery.
If Mitigated
Limited impact with proper network segmentation and monitoring allowing quick detection and response to attack attempts.
🎯 Exploit Status
Exploitation requires network access to Modbus TCP port (typically 502) and knowledge of specific malformed Modbus message.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V3.7.3 or later
Vendor Advisory: Not provided in references
Restart Required: Yes
Instructions:
1. Contact XINJE for firmware update V3.7.3 or later. 2. Backup PLC program. 3. Upload new firmware via programming software. 4. Restore program. 5. Test functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs on separate VLANs with strict firewall rules limiting Modbus TCP access to authorized devices only.
Access Control Lists
allImplement network ACLs to restrict Modbus TCP (port 502) access to specific IP addresses.
🧯 If You Can't Patch
- Implement strict network segmentation with industrial firewall between PLC network and other networks
- Deploy intrusion detection systems monitoring for malformed Modbus traffic and PLC crash indicators
🔍 How to Verify
Check if Vulnerable:
Check PLC firmware version via programming software. If version is between V3.5.3b and V3.7.2a, system is vulnerable.Check Version:
Use XINJE programming software to read PLC firmware version from device properties.Verify Fix Applied:
Confirm firmware version is V3.7.3 or later via programming software interface.📡 Detection & Monitoring
Log Indicators:
- PLC error logs showing unexpected crashes
- ERR indicator light activation logs
- Modbus connection attempts from unauthorized sources
Network Indicators:
- Malformed Modbus TCP packets to port 502
- Sudden cessation of normal Modbus traffic from PLC
SIEM Query:
source:firewall AND dest_port:502 AND (packet_size:unusual OR protocol_violation:modbus)