Relative Path Vulnerability in AutomationDirect's C-MORE EA9 HMI Allows for URL Tampering
CVE-2024-25136

7.5HIGH

Key Information:

Vendor: Automationdirect
Status: C-more Ea9 Hmi Ea9-t6cl; C-more Ea9 Hmi Ea9-t7cl; C-more Ea9 Hmi Ea0-t7cl-r; C-more Ea9 Hmi Ea9-t8cl
Vendor: CVE Published:; 26 March 2024

What is CVE-2024-25136?

A vulnerability exists in AutomationDirect's C-MORE EA9 HMI due to improper sanitization of URL paths. Attackers can exploit this flaw by sending a relative path in the URL, potentially leading to unauthorized access to sensitive system resources. It's vital for users of the affected product to remain vigilant and apply any available patches or security measures to mitigate the risk.

Affected Version(s)

C-MORE EA9 HMI EA0-T7CL-R 0 <= 6.77

C-MORE EA9 HMI EA9-PGMSW 0 <= 6.77

C-MORE EA9 HMI EA9-RHMI 0 <= 6.77

References

https://https://www.cisa.gov/news-events/ics-advisories/i...

government-resource

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 26, 2024
Vulnerability Reserved
Feb 5, 2024

Credit

Tomer Goldschmidt of Claroty Research - Team82 reported these vulnerabilities to CISA.

Automationdirect

What is CVE-2024-25136?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit