CVE-2024-6558 HMS Industrial Networks CVE debrief

Who should care

Industrial control system operators, OT security teams, and asset owners deploying HMS Anybus-CompactCom 30 modules in manufacturing, process control, or building automation environments. Organizations with remote or internet-exposed device management interfaces face elevated risk of social engineering attacks leveraging this stored XSS vector.

Technical summary

The Anybus-CompactCom 30 embedded networking module fails to sanitize user input in web interface fields, permitting stored XSS. Attackers can persist malicious HTML/ JavaScript that executes in victim browsers on subsequent page loads. This enables credential harvesting, session hijacking, or social engineering via manipulated interface content. The vulnerability requires network access to the device web interface and user interaction to trigger payload execution. HMS recommends access controls, webserver disablement, or hardware upgrade to CompactCom 40 as remediation paths.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided mitigations: password-protect all webpages served by the Anybus-CompactCom 30 module or disable the webserver if not required
• Consider upgrading to Anybus-CompactCom 40 module as a vendor-supported remediation
• Deploy network segmentation to isolate affected devices behind firewalls, ensuring isolation from corporate networks and blocking unnecessary protocols from unauthorized sources
• Review and implement CISA ICS recommended practices for defense-in-depth strategies
• Monitor for HMS security advisory updates regarding firmware patches or additional mitigations

Evidence notes

CISA CSAF advisory ICSA-24-193-20 confirms stored XSS via lack of input sanitization in Anybus-CompactCom 30. HMS security advisory provides vendor mitigations including password protection, webserver disablement, and product upgrade path to CompactCom 40.

Official resources