PatchSiren cyber security CVE debrief
CVE-2024-5650 Yokogawa CVE debrief
A DLL hijacking vulnerability in Yokogawa CENTUM CS 3000 and CENTUM VP allows attackers with prior system or shared folder access to replace a legitimate DLL with a malicious version, resulting in arbitrary code execution with SYSTEM privileges. The attack requires an initial intrusion or unauthorized access to a shared folder, after which the attacker can substitute the DLL file to escalate privileges and run arbitrary programs. This vulnerability affects multiple versions of CENTUM CS 3000 (R3.08.10 through R3.09.50) and CENTUM VP (R4.01.00 through R6.11.10). Yokogawa has released patched versions for supported products and recommends upgrading to CENTUM VP R6.11.12 or later. CENTUM CS and earlier unsupported versions of CENTUM VP will not receive patches.
- Vendor
- Yokogawa
- Product
- CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class)
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-20
- Original CVE updated
- 2024-06-20
- Advisory published
- 2024-06-20
- Advisory updated
- 2024-06-20
Who should care
Organizations operating Yokogawa CENTUM CS 3000 or CENTUM VP distributed control systems in critical infrastructure sectors including energy, chemical, pharmaceutical, and manufacturing. Security teams responsible for OT/ICS environments, system integrators, and asset owners with legacy CENTUM installations that may no longer receive vendor support.
Technical summary
The vulnerability stems from insufficient DLL loading protections in Yokogawa CENTUM CS 3000 and CENTUM VP software. An attacker who has already compromised a host or gained access to a shared folder can replace a legitimate DLL with a malicious version. When the CENTUM software loads the replaced DLL, it executes with SYSTEM account privileges, granting the attacker full control over the affected system. The CVSS 3.0 vector AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H reflects network attack vector with high attack complexity, low privileges required, and high impact on confidentiality, integrity, and availability with scope change. Affected versions span CENTUM CS 3000 R3.08.10-R3.09.50 and CENTUM VP R4.01.00-R6.11.10. Yokogawa's remediation centers on upgrading to CENTUM VP R6.11.12+, with end-of-life products requiring migration or compensating controls.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade affected CENTUM VP systems to version R6.11.12 or later per Yokogawa advisory YSAR-24-0002
- Implement network segmentation and access controls to prevent unauthorized host intrusion and shared folder access
- Establish comprehensive security program including patch management, anti-virus, backup/recovery, system hardening, application whitelisting, and firewall controls
- Contact Yokogawa for security risk assessment and assistance with continuous security program implementation
- For CENTUM CS 3000 and unsupported CENTUM VP versions, evaluate migration to supported CENTUM VP releases or implement compensating security controls
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
CISA ICS advisory ICSA-24-172-01 published 2024-06-20 documents this vulnerability with CVSS 3.0 score 8.5 (HIGH). The advisory confirms affected product versions and provides remediation guidance from Yokogawa.
Official resources
-
CVE-2024-5650 CVE record
CVE.org
-
CVE-2024-5650 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-20