Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
PowerFlex® 527 |
v2.001.x < |
n/a |
SECURITY ISSUE DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.
CVE-2024-2425 IMPACT
A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. The web server would then crash and need a manual restart to recover it.
CVSS Base Score 3.1: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score 4.0: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE – 120 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
CVE-2024-2426 IMPACT
A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. A disruption in the CIP communication could occur and a manual restart will be required by the user to recover it.
CVSS Base Score 3.1: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score 4.0: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE – 120 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
CVE-2024-2427 IMPACT
A denial-of-service security issue exists in the PowerFlex® 527. This is due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.
CVSS Base Score 3.1: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score 4.0: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE-400: Uncontrolled Resource Consumption
Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Mitigations and Workarounds
There is no fix currently for this issue. Customers using the affected software should use the risk mitigations and security best practices.
- Implement network segmentation confirming the device is on an isolated network.
- Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
- Security Best Practices
ADDITIONAL RESOURCES
Glossary
CIP Communication: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Traffic Throttling: a method used to intentionally slow down internet speed or data transmission to manage network congestion and ensure fair usage among users