Published Date: December 17, 2024
Last updated: August 6, 2025
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10
AFFECTED PRODUCTS AND SOLUTION
Affected Products |
Affected firmware revision |
Corrected in firmware revision |
PM1k 1408-BC3A-485 |
<4.020 |
4.020 |
PM1k 1408-BC3A-ENT |
<4.020 |
4.020 |
PM1k 1408-TS3A-485 |
<4.020 |
4.020 |
PM1k 1408-TS3A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM3A-485 |
<4.020 |
4.020 |
PM1k 1408-EM3A-ENT |
<4.020 |
4.020 |
PM1k 1408-TR1A-485 |
<4.020 |
4.020 |
PM1k 1408-TR2A-485 |
<4.020 |
4.020 |
PM1k 1408-EM1A-485 |
<4.020 |
4.020 |
PM1k 1408-EM2A-485 |
<4.020 |
4.020 |
PM1k 1408-TR1A-ENT |
<4.020 |
4.020 |
PM1k 1408-TR2A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM1A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM2A-ENT |
<4.020 |
4.020 |
SECURTIY ISSUE DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following security issues. The following issues were reported by Vera Mens of Claroty Research - Team82.
CVE-2024-12371 IMPACT
A device takeover security issue exists in the affected product. This allows configuration of a new Policyholder user without any authentication via API. A policyholder user is the most privileged user that can perform edit operations. This creates admin users and performs a factory reset.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-420: Unprotected Alternate Channel
CVE-2024-12372 IMPACT
A denial-of-service and possible remote code execution security issue exists in the affected product. This issue results in corruption of the heap memory which may compromise the integrity of the system. This could allow a remote code execution or a denial-of-service attack.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-122: Heap-based Buffer Overflows
CVE-2024-12373 IMPACT
A denial-of-service security issue exists in the affected product. This results in a buffer-overflow which could cause a denial-of-service.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Mitigations and Workarounds
Customers using the affected software that can't upgrade to one of the corrected version should use the security best practices.
Glossary
Buffer Overflow: when a program writes more data to a buffer than it can hold, causing the excess data to overflow into adjacent memory locations
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
