CVE-2024-5040 LCDS - Leão Consultoria e Desenvolvimento de Sistemas Ltda ME CVE debrief

Who should care

Industrial control system operators, OT security teams, critical infrastructure defenders, and organizations using LAquis SCADA for process control and monitoring.

Technical summary

CVE-2024-5040 is a path traversal vulnerability in LAquis SCADA software from LCDS. Multiple methods exist for an attacker to access locations outside their authorized directory, potentially exposing sensitive files or system data. The vulnerability requires local access and user interaction but can result in complete compromise of confidentiality, integrity, and availability. Affected versions are 4.7.1.7 and earlier. The vendor has released version 4.7.1.371 with fixes for the reported path traversal issues.

Defensive priority

HIGH

Recommended defensive actions

• Update LAquis SCADA to version 4.7.1.371 or newer to resolve path traversal vulnerabilities
• Verify update installation and confirm version 4.7.1.371 or later is running
• Review file system permissions on SCADA hosts to enforce least-privilege access
• Segment SCADA networks from enterprise IT and internet-facing systems
• Monitor for anomalous file access patterns outside expected application directories
• Apply CISA ICS recommended practices for defense-in-depth security controls

Evidence notes

CISA ICS advisory ICSA-24-142-01 confirms multiple path traversal vectors in LAquis SCADA ≤4.7.1.7. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates local attack vector with high impact on confidentiality, integrity, and availability. Vendor fix confirmed in version 4.7.1.371.

Official resources