Loading

Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Severity:
High
Advisory ID:
SD1664
Published Date:
March 21, 2024
Last Updated:
December 04, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
CVE IDs
CVE-2024-2425,
CVE-2024-2426,
CVE-2024-2427
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
JSON
Summary
Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

PowerFlex® 527

 v2.001.x <

n/a

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2024-2425 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. The web server would then crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2426 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. A disruption in the CIP communication could occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2427 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527. This is due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

There is no fix currently for this issue. Customers using the affected software should use the risk mitigations and security best practices.

  • Implement network segmentation confirming the device is on an isolated network.
  • Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
  • Security Best Practices

 ADDITIONAL RESOURCES

  • JSON CVE-2024-2425
  • JSON CVE-2024-2426
  • JSON CVE-2024-2427

Glossary

CIP Communication: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Traffic Throttling: a method used to intentionally slow down internet speed or data transmission to manage network congestion and ensure fair usage among users 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation Home
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose