PatchSiren cyber security CVE debrief

CVE-2019-6268 RAD Data Communications CVE debrief

CVE-2019-6268 is a directory traversal vulnerability affecting RAD Data Communications SecFlow-2 industrial devices. The vulnerability allows unauthenticated remote attackers to access arbitrary files on the device by crafting HTTP requests with URIs beginning with /... This path traversal technique bypasses intended access controls and enables reading of sensitive system files, as demonstrated by successful retrieval of /etc/shadow containing password hashes. The vulnerability exists in SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12. The CVSS 3.1 score of 7.5 (HIGH) reflects the network attack vector, low attack complexity, no required privileges, and high confidentiality impact. Notably, this CVE was published by CISA on June 18, 2024, despite the 2019 CVE identifier, indicating a significant delay between vulnerability discovery/existence and formal advisory publication. RAD Data Communications has declared SecFlow-2 end-of-life with no patches planned, directing customers to migrate to the SecFlow-1p product line as the remediation path.

Vendor: RAD Data Communications
Product: SecFlow-2
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-06-18
Original CVE updated: 2024-06-18
Advisory published: 2024-06-18
Advisory updated: 2024-06-18

Who should care

Organizations operating RAD SecFlow-2 devices in industrial networks, particularly utilities, telecommunications carriers, and critical infrastructure operators using these devices for secure flow management. Security teams responsible for OT/ICS asset management, network architects designing perimeter security for industrial environments, and compliance officers tracking end-of-life equipment status should prioritize this vulnerability.

Technical summary

The vulnerability stems from improper input validation in the device's HTTP request handling. By prefixing URIs with /.., attackers can traverse outside the intended web root directory structure. The affected stack includes Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12. Successful exploitation requires no authentication and yields high confidentiality impact through arbitrary file read capabilities. The attack is remotely exploitable with low complexity, making automated exploitation feasible. No integrity or availability impacts are associated with this vulnerability per CVSS scoring.

Defensive priority

HIGH

Recommended defensive actions

Inventory all RAD SecFlow-2 deployments, prioritizing internet-facing or perimeter-connected devices
Plan migration to RAD SecFlow-1p product line as recommended by vendor
Implement network segmentation to restrict SecFlow-2 device access to authorized management hosts only
Deploy web application firewall or proxy rules to block URI patterns beginning with /..
Monitor for anomalous HTTP requests containing path traversal sequences
Review authentication logs and file access patterns for indicators of compromise
Apply CISA ICS recommended practices for defense-in-depth architecture
Consider disabling remote web management interfaces where operational requirements permit

Evidence notes

The vulnerability is confirmed through CISA's CSAF-formatted advisory with specific product version identification. The directory traversal mechanism (/.. prefix) and proof-of-concept demonstration via /etc/shadow access are documented in the source material. Vendor end-of-life status and migration recommendation to SecFlow-1p are explicitly stated in remediation guidance.

Official resources

CISA published advisory ICSA-24-170-01 on June 18, 2024, formally disclosing this vulnerability. The CVE identifier (2019) predates the publication by approximately five years, suggesting the vulnerability existed in deployed devices for an