PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-41927 IDEC Corporation CVE debrief

A cleartext transmission vulnerability in IDEC Corporation industrial control system (ICS) products allows attackers with physical access to obtain user authentication information. The vulnerability affects multiple CPU module series used in programmable logic controllers (PLCs) and related industrial automation equipment. CISA published the initial advisory on September 19, 2024, with subsequent updates in July 2025 and February 2026 to revise product information, mitigation guidance, and vendor advisory links. The vulnerability carries a CVSS 3.1 score of 4.6 (Medium severity) with a physical attack vector, indicating that an attacker must have local access to the device or its network segment to exploit the weakness. The affected products transmit authentication credentials in cleartext, enabling credential theft through network sniffing or similar techniques when an attacker has physical proximity to the device or its communication path. IDEC Corporation has released firmware updates for all affected product lines to address this vulnerability.

Vendor
IDEC Corporation
Product
FC6A Series MICROSmart All-in-One CPU module
CVSS
MEDIUM 4.6
CISA KEV
Not listed in stored evidence
Original CVE published
2024-09-19
Original CVE updated
2026-02-18
Advisory published
2024-09-19
Advisory updated
2026-02-18

Who should care

Organizations operating IDEC industrial automation equipment in manufacturing, process control, building automation, or other industrial environments. Security teams responsible for OT/ICS infrastructure, plant engineers, and system integrators deploying IDEC PLCs and related components should prioritize firmware updates and assess network segmentation controls. Organizations subject to NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks should evaluate this vulnerability against their asset inventories and patch management procedures.

Technical summary

The vulnerability exists in the authentication mechanism of IDEC industrial control products, which transmit user credentials in cleartext. An attacker with physical access to the device or its network segment can capture authentication information through passive network monitoring. The attack requires no privileges or user interaction, but the physical attack vector limits exploitation to scenarios where an attacker has local access. The vulnerability does not affect system integrity or availability, but successful exploitation results in complete confidentiality compromise of authentication credentials.

Defensive priority

medium

Recommended defensive actions

  • Update affected IDEC FC6A Series MICROSmart All-in-One CPU modules to firmware version 2.70 or later
  • Update affected IDEC FC6B Series MICROSmart All-in-One CPU modules to firmware version 2.70 or later
  • Update affected IDEC FC6A Series MICROSmart Plus CPU modules to firmware version 2.50 or later
  • Update affected IDEC FC6B Series MICROSmart Plus CPU modules to firmware version 2.70 or later
  • Update affected IDEC FT1A Series SmartAXIS Pro/Lite devices to firmware version 2.50 or later
  • Review network segmentation for affected industrial control devices to limit physical access
  • Monitor for unauthorized physical access to ICS device locations
  • Apply defense-in-depth strategies for industrial control systems per CISA guidance

Evidence notes

CISA ICS advisory ICSA-24-263-02 (initially published 2024-09-19, updated 2025-07-10 as Update A, and revised 2026-02-18) documents this cleartext transmission vulnerability in IDEC industrial control products. The advisory references CWE-319 (Cleartext Transmission of Sensitive Information) and provides specific firmware version requirements for remediation. The CVSS vector (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) confirms the physical attack vector with high confidentiality impact but no integrity or availability impact.

Official resources

2024-09-19