PatchSiren cyber security CVE debrief
CVE-2024-43099 AutomationDirect CVE debrief
CVE-2024-43099 is a HIGH severity (CVSS 8.8) session hijacking vulnerability in the AutomationDirect DirectLogic H2-DM1E PLC, published by CISA on September 12, 2024. The vulnerability exists in the application layer session management mechanism that maintains authenticated sessions between a host PC and the PLC. An attacker who captures the session key can inject traffic into an ongoing authenticated session by additionally spoofing the originating host's IP and MAC addresses. This represents a classic session fixation attack against industrial control systems where session tokens are insufficiently protected. The affected product is DirectLogic H2-DM1E firmware version 2.8.0 and earlier. AutomationDirect has determined this product cannot be supported within their secure development lifecycle due to age and architectural limitations. No patch will be issued.
- Vendor
- AutomationDirect
- Product
- DirectLogic H2-DM1E
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-12
- Original CVE updated
- 2024-09-12
- Advisory published
- 2024-09-12
- Advisory updated
- 2024-09-12
Who should care
Organizations operating AutomationDirect DirectLogic H2-DM1E PLCs in manufacturing, process control, or other industrial environments. OT security teams responsible for legacy PLC infrastructure. Asset owners with end-of-life industrial equipment requiring risk-based mitigation strategies. Compliance officers managing NERC CIP or IEC 62443 security programs with unsupported control system components.
Technical summary
The DirectLogic H2-DM1E uses a session key to maintain authenticated sessions between host PC and PLC. The vulnerability allows an attacker who captures this session key to inject arbitrary traffic into an active session. Successful exploitation requires the attacker to also spoof the IP address and MAC address of the legitimate host. This is an application-layer control mechanism failure in session management. The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates adjacent network attack vector with no privileges required, yielding high impacts to confidentiality, integrity, and availability.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to the BRX platform, which is actively maintained within AutomationDirect's secure development lifecycle and designed to current security standards
- Implement network segmentation and air gapping to isolate H2-DM1E systems from broader network infrastructure
- Deploy StrideLinx secure VPN platform to place affected systems behind encrypted tunnel access
- Conduct asset inventory to identify all H2-DM1E deployments in operational technology environments
- Review network architecture for H2-DM1E systems to ensure they are not exposed to untrusted networks
- Establish monitoring for anomalous session behavior or unexpected traffic injection attempts on H2-DM1E communications
- Contact AutomationDirect for migration planning assistance and additional security guidance
Evidence notes
Session hijacking requires attacker to capture session key and spoof IP/MAC addresses of legitimate host. Attack vector is adjacent network (AV:A) with low attack complexity.
Official resources
-
CVE-2024-43099 CVE record
CVE.org
-
CVE-2024-43099 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-24-256-17 on September 12, 2024, disclosing this vulnerability. The vendor has explicitly stated the product is end-of-life and will not receive security updates.