SD1664 | Security Advisory | Rockwell Automation

Severity:

High

Advisory ID:

SD1664

Date de publication:

March 21, 2024

Date de la dernière mise à jour:

December 04, 2024

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Non

Corrected:

Non

Workaround:

Oui

CVE IDs

CVE-2024-2425,

CVE-2024-2426,

CVE-2024-2427

Téléchargements

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

JSON

Résumé

Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
PowerFlex® 527	v2.001.x <	n/a

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2024-2425 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. The web server would then crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2426 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. A disruption in the CIP communication could occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2427 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527. This is due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

There is no fix currently for this issue. Customers using the affected software should use the risk mitigations and security best practices.

Implement network segmentation confirming the device is on an isolated network.
Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
Security Best Practices

ADDITIONAL RESOURCES

Glossary

CIP Communication: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Traffic Throttling: a method used to intentionally slow down internet speed or data transmission to manage network congestion and ensure fair usage among users