CVE-2024-38285 Motorola Solutions CVE debrief

Who should care

Organizations operating Motorola Solutions Vigilant License Plate Reader systems, particularly law enforcement and security agencies using fixed LPR deployments. Security teams responsible for physical security infrastructure and OT/ICS asset management should prioritize verification of remediation status.

Technical summary

The Vigilant Fixed LPR Coms Box stores credentials in system logs without adequate protection mechanisms. An attacker with physical access to the device can extract these logs and decode the credentials using publicly available open source tools, potentially gaining unauthorized access to the system or associated infrastructure. The CVSS 3.1 score of 6.8 (Medium) reflects the physical access requirement (AV:P) combined with high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H).

Defensive priority

medium

Recommended defensive actions

• Verify that affected Vigilant Fixed LPR Coms Box devices are running firmware later than version 3.1.171.9
• Confirm with Motorola Solutions that vendor-applied remediation has been applied to all deployed systems
• Delete any retained log files from devices that may have been archived prior to vendor remediation
• Review logging configurations to ensure credentials are not written to persistent storage
• Apply CISA ICS recommended practices for defense-in-depth strategies for physical security controls

Evidence notes

CISA advisory ICSA-24-165-19 confirms affected product as Vigilant Fixed LPR Coms Box (BCAV1F2-C600) firmware version 3.1.171.9 and earlier. CVSS 3.1 vector AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates physical access requirement with high impact on confidentiality, integrity, and availability.

Official resources