PatchSiren cyber security CVE debrief
CVE-2024-11166 Traffic Alert and Collision Avoidance System (TCAS) II CVE debrief
CVE-2024-11166 is a HIGH severity vulnerability (CVSS 3.1: 8.2) affecting Traffic Alert and Collision Avoidance System (TCAS) II aircraft safety systems. Published on January 21, 2024, this vulnerability exists in TCAS II systems using transponders compliant with Minimum Operational Performance Standards (MOPS) earlier than RTCA DO-181F. An attacker with adjacent network access can impersonate a ground station and issue a Comm-A Identity Request, which sets the Sensitivity Level Control (SLC) to its lowest setting and disables the Resolution Advisory (RA) function. This creates a denial-of-service condition that degrades collision avoidance capabilities. CISA notes that while exploitable in laboratory conditions, the vulnerability requires very specific conditions and is unlikely to be exploited outside controlled environments. No known public exploitation has been reported. The vulnerability is not remotely exploitable and carries high attack complexity.
- Vendor
- Traffic Alert and Collision Avoidance System (TCAS) II
- Product
- TCAS II
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-01-21
- Original CVE updated
- 2024-01-21
- Advisory published
- 2024-01-21
- Advisory updated
- 2024-01-21
Who should care
Aircraft operators, aviation maintenance organizations, fleet managers, pilots, air traffic management authorities, aviation cybersecurity professionals, and regulatory bodies including FAA and international civil aviation organizations should prioritize assessment and remediation of this vulnerability due to its direct impact on flight safety systems.
Technical summary
TCAS II systems with transponders below RTCA DO-181F compliance are vulnerable to ground station impersonation attacks. An attacker on an adjacent network can transmit a Comm-A Identity Request that manipulates the Sensitivity Level Control to minimum settings and disables Resolution Advisory generation. This represents a safety-critical degradation of collision avoidance functionality. The attack requires proximity (adjacent network access) but no privileges or user interaction. The vulnerability affects confidentiality (none), integrity (low), and availability (high) with scope change impact. Remediation requires hardware/software upgrades to ACAS X or DO-181F-compliant transponders.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to ACAS X or upgrade associated transponder to comply with RTCA DO-181F to fully mitigate CVE-2024-11166
- Follow established internal procedures and report suspected malicious activity to CISA for tracking and correlation
- Review CISA ICS recommended practices for defense-in-depth strategies applicable to aviation systems
- Assess transponder MOPS compliance status across affected aircraft fleets
- Coordinate with FAA and aviation maintenance organizations for remediation planning
- Monitor for anomalous transponder behavior or unexpected SLC changes during pre-flight and in-flight operations
Evidence notes
Source: CISA CSAF advisory ICSA-25-021-01. CVSS 3.1 vector: AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H. Affected product: TCAS II version 7.1 and earlier with transponders below RTCA DO-181F compliance.
Official resources
-
CVE-2024-11166 CVE record
CVE.org
-
CVE-2024-11166 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-25-021-01 on January 21, 2024, coordinating with the Federal Aviation Administration (FAA) and researchers. The advisory confirms these vulnerabilities were validated in lab environments with exploitation deemed