Koyo Ecom Modules Vulnerabilities

Low RiskICS-CERT ICSA-12-102-02Jan 13, 2012

Summary

Koyo ECOM communication modules (H2-ECOM, H2-ECOM-F, H2-ECOM100, H0-ECOM, H0-ECOM100, H4-ECOM, H4-ECOM-F, H4-ECOM100) used with DirectLogic DL205, DL06, and DL405 series PLCs lack authentication controls for network-based commands. An attacker with network access to these modules can read and write PLC memory, including ladder logic, setpoints, and configuration parameters, without providing any credentials (CWE-306: Missing Authentication).

What this means

What could happen

An attacker could modify PLC logic or process parameters without authentication, potentially causing unintended equipment operation, process disruption, or unsafe conditions in connected systems.

Who's at risk

Water utilities, electric utilities, and any industrial facility using Koyo DirectLogic PLCs (DL205, DL06, or DL405 series) with ECOM communication modules. This includes facilities controlling pumps, motors, valves, generators, and other critical process equipment via these legacy controllers.

How it could be exploited

An attacker with network access to the ECOM module could send Koyo protocol commands directly to the device without providing credentials, allowing them to read or write PLC memory, ladder logic, and configuration data.

Prerequisites

Network access to the ECOM module (typically port 502 or 21 depending on ECOM variant)
No authentication credentials required

no authentication requiredremotely exploitableno patch availablelegacy equipment

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

H0-ECOM (For DirectLogic DL06 Series Programmable Logic Controllers): vers:all/*All versionsNo fix (EOL)

H0-ECOM100 (For DirectLogic DL06 Series Programmable Logic Controllers): vers:all/*All versionsNo fix (EOL)

H4-ECOM (For DirectLogic DL405 Series Programmable Logic Controllers): vers:all/*All versionsNo fix (EOL)

H4-ECOM-F (For DirectLogic DL405 Series Programmable Logic Controllers): vers:all/*All versionsNo fix (EOL)

H4-ECOM100 (For DirectLogic DL405 Series Programmable Logic Controllers): vers:all/*All versionsNo fix (EOL)

H2-ECOM (For DirectLogic DL205 Series Programmable Logic Controllers): vers:all/*All versionsNo fix (EOL)

H2-ECOM-F (For DirectLogic DL205 Series Programmable Logic Controllers): vers:all/*All versionsNo fix (EOL)

H2-ECOM100 (For DirectLogic DL205 Series Programmable Logic Controllers): vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to isolate ECOM modules and connected DL205/DL06/DL405 PLCs from untrusted networks using firewalls or industrial switches

WORKAROUNDRestrict network access to ECOM modules to only authorized engineering workstations and HMI systems; block all unnecessary inbound connections

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for unauthorized access attempts to ECOM modules using network-based logging or IDS where available

HARDENINGConduct a network topology review to identify all ECOM modules in use and their connectivity; document and secure any that are internet-accessible or on shared corporate networks

CVEs (1)

CVE-2012-1809

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b56db5f5-330d-4dce-9ee3-9f0f2263f3bc