PatchSiren cyber security CVE debrief
CVE-2024-43423 Dover Fueling Solutions (DFS) CVE debrief
A critical vulnerability in Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE products allows unauthenticated remote attackers to gain full administrative access due to a hardcoded, unchangeable administrative password in the web application. The vulnerability affects MAGLINK LX CONSOLE versions 3.4.2.2.6 and earlier, and MAGLINK LX4 CONSOLE versions 4.17.9e and earlier. With a CVSS 3.1 score of 9.8 (Critical), this vulnerability enables network-based attacks without requiring authentication, potentially allowing complete compromise of confidentiality, integrity, and availability of affected fuel management systems.
- Vendor
- Dover Fueling Solutions (DFS)
- Product
- ProGauge MAGLINK LX CONSOLE
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-24
- Original CVE updated
- 2024-09-24
- Advisory published
- 2024-09-24
- Advisory updated
- 2024-09-24
Who should care
Organizations operating fuel management systems, particularly in critical infrastructure sectors including petroleum distribution, retail fueling stations, fleet fueling operations, and industrial fuel storage facilities. Security teams responsible for OT/ICS environments, network administrators managing isolated industrial networks, and compliance officers overseeing NERC CIP or sector-specific security requirements should prioritize assessment and remediation.
Technical summary
The ProGauge MAGLINK LX CONSOLE web application contains an administrative-level user account with a hardcoded password that cannot be changed by users. This design flaw allows any attacker with network access to authenticate as an administrator without prior credentials. The vulnerability is remotely exploitable with low attack complexity, requires no privileges or user interaction, and results in complete system compromise. Affected products include MAGLINK LX CONSOLE (≤3.4.2.2.6) and MAGLINK LX4 CONSOLE (≤4.17.9e). Dover Fueling Solutions has released version 4.19.10 to remediate this issue.
Defensive priority
critical
Recommended defensive actions
- Contact Dover Fueling Solutions customer support at 877-679-8324 to obtain and install software update version 4.19.10 for MAGLINK LX4 CONSOLE, which addresses this vulnerability
- Deploy MAGLINK consoles behind network firewalls to restrict unauthorized network access
- Implement network segmentation to isolate fuel management systems from untrusted networks
- Monitor for and apply security updates on a timely basis through DFS's authorized service organizations
- Consider operating MAGLINK consoles offline or disconnected from networks where operational requirements permit
- Access technical bulletins and updates through the DFS proprietary portal if you are a registered MagLink customer
- Review CISA's ICS recommended practices for additional defensive guidance on securing industrial control systems
Evidence notes
CISA published advisory ICSA-24-268-04 on September 24, 2024, identifying this hardcoded credential vulnerability in ProGauge MAGLINK LX and LX4 CONSOLE systems. The advisory confirms affected versions and vendor-provided remediation.
Official resources
-
CVE-2024-43423 CVE record
CVE.org
-
CVE-2024-43423 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-24