PatchSiren cyber security CVE debrief
CVE-2024-8497 Franklin Fueling Systems CVE debrief
Franklin Fueling Systems TS-550 EVO versions prior to 2.26.4.8967 contain an arbitrary file read vulnerability that could allow an attacker to obtain administrator credentials. The vulnerability was disclosed by CISA on September 24, 2024, with a CVSS 3.1 score of 7.5 (HIGH). The affected product is an automatic tank gauge (ATG) fuel management system used in critical infrastructure environments. The vulnerability stems from a file that can be read arbitrarily, exposing sensitive credential information. No known exploitation in the wild or ransomware campaign use has been reported. The vendor has released firmware version 2.26.4.8967 to address this issue. Organizations operating these systems should prioritize patching given the network-accessible attack vector and high confidentiality impact.
- Vendor
- Franklin Fueling Systems
- Product
- TS-550 EVO
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-24
- Original CVE updated
- 2024-09-24
- Advisory published
- 2024-09-24
- Advisory updated
- 2024-09-24
Who should care
Organizations operating fuel storage and distribution facilities using Franklin Fueling Systems TS-550 EVO automatic tank gauges, including petroleum retailers, fleet fueling operations, aviation fuel facilities, and critical infrastructure operators in the energy sector.
Technical summary
The TS-550 EVO automatic tank gauge contains a path allowing arbitrary file read without authentication. An attacker with network access can retrieve a file containing administrator credentials, achieving complete administrative compromise of the device. The attack requires no user interaction and is trivial to execute (AC:L). Confidentiality impact is rated HIGH; integrity and availability impacts are NONE per CVSS 3.1 scoring. The vulnerability is remotely exploitable and affects all firmware versions below 2.26.4.8967.
Defensive priority
HIGH
Recommended defensive actions
- Update TS-550 EVO firmware to version 2.26.4.8967 or later per vendor guidance
- Restrict network access to TS-550 EVO management interfaces to authorized administrative hosts only
- Monitor for unauthorized access attempts to TS-550 EVO file system paths
- Review and rotate administrator credentials if compromise is suspected
- Apply CISA ICS recommended practices for network segmentation of fuel management systems
Evidence notes
CISA ICS Advisory ICSA-24-268-03 published 2024-09-24 identifies arbitrary file read leading to credential exposure in TS-550 EVO ATG firmware. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N confirms network-accessible, unauthenticated read of high-value data. Vendor remediation guidance specifies firmware 2.26.4.8967 as fix version. No KEV listing or active exploitation confirmed at disclosure.
Official resources
-
CVE-2024-8497 CVE record
CVE.org
-
CVE-2024-8497 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-24