CVE-2024-1491 Electrolink CVE debrief

Who should care

Broadcast station engineers, critical infrastructure security teams, OT/ICS security practitioners, telecommunications regulators, and organizations operating Electrolink transmission equipment

Technical summary

The vulnerability exists in the MPFS2 file system upload endpoint, which lacks authentication controls. The MPFS2 module normally provides read-only file system capabilities stored in external EEPROM, serial flash, or internal program memory for the HTTP2 web server and SNMP modules. However, the exposed upload endpoint allows attackers to write arbitrary binary images, overwriting the flash program memory that contains the web server's main interfaces. This enables code execution within the transmitter's embedded system. The attack is network-accessible without credentials, requires no user interaction, and affects all versions of 24 distinct transmitter products spanning DAB, FM, and TV broadcast equipment.

Defensive priority

HIGH

Recommended defensive actions

• Contact Electrolink directly for security updates or mitigation guidance, as the vendor has not coordinated with CISA on fixes
• Restrict network access to affected transmitter management interfaces using firewall rules or network segmentation
• Monitor for unauthorized MPFS upload attempts to the unprotected endpoint
• Implement defense-in-depth controls per CISA ICS recommended practices for industrial control systems
• Consider disabling remote management interfaces if not operationally required
• Review and apply CISA ICS-CERT defense in depth guidance for protecting critical broadcast infrastructure

Evidence notes

Vulnerability description and affected product list derived from CISA ICS Advisory ICSA-24-107-02. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N confirms network-exploitable, unauthenticated attack with high integrity impact. Vendor non-response status documented in advisory remediations section.

Official resources