PatchSiren cyber security CVE debrief
CVE-2024-36080 Westermo CVE debrief
A critical vulnerability in Westermo EDW-100 industrial serial-to-Ethernet converters exposes a hidden administrator account with hardcoded credentials. The root account password is embedded as plaintext strings within the firmware image.bin file, allowing trivial extraction by anyone with firmware access. No mechanism exists to change this password, rendering affected devices permanently vulnerable to unauthorized administrative access. The vulnerability carries a CVSS 3.1 score of 9.8 (Critical) due to network attack vector, low complexity, no privileges required, and high impacts across confidentiality, integrity, and availability.
- Vendor
- Westermo
- Product
- EDW-100
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-30
- Original CVE updated
- 2024-05-30
- Advisory published
- 2024-05-30
- Advisory updated
- 2024-05-30
Who should care
Industrial control system operators using Westermo EDW-100 serial-to-Ethernet converters in manufacturing, energy, transportation, and critical infrastructure environments; network security architects designing OT/IT boundary protections; asset owners implementing IEC 62443 security zones; incident response teams monitoring for unauthorized device access; procurement officers evaluating industrial networking equipment lifecycle and security posture.
Technical summary
The Westermo EDW-100 firmware package contains image.bin with hardcoded strings for username 'root' and its associated password. These credentials are exposed as plaintext strings trivially extractable through firmware analysis. The device provides no administrative interface or mechanism to modify or disable this account. Successful exploitation grants complete device control with no authentication barriers when network access is obtained. The vulnerability is inherent to the product design and cannot be patched; risk reduction requires compensating network and physical controls or product replacement.
Defensive priority
critical
Recommended defensive actions
- Replace affected EDW-100 units with Westermo Lynx DSS L105-S1 as the vendor-recommended migration path
- Implement network segregation and perimeter protection using firewalls and VLANs to isolate EDW-100 from untrusted networks
- Deploy network-to-network protection such as VPNs for any data flows into or out of security zones containing EDW-100
- Establish physical security controls including locked enclosures and tamper alarms to prevent physical access and firmware extraction
- Apply IEC 62443 standard security zone and conduit modeling for industrial control system deployments
- Monitor for unauthorized administrative connections to EDW-100 devices using network detection tools
- Review and restrict remote access paths to EDW-100 management interfaces
Evidence notes
CISA ICS advisory ICSA-24-151-04 confirms the hardcoded credentials exist in firmware image.bin with username 'root' and extractable password strings. Vendor acknowledges no password change mechanism is available. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H validated by CISA.
Official resources
-
CVE-2024-36080 CVE record
CVE.org
-
CVE-2024-36080 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-30