Accuenergy Acuvim II Authentication Vulnerabilities

Low RiskICS-CERT ICSA-14-275-02Jul 5, 2014

Summary

Accuenergy Acuvim II energy meter with AXN-NET Ethernet module contains authentication vulnerabilities (CWE-592: Type Confusion With Partially Resolved Object, CWE-602: Client-Side Enforcement of Server-Side Security). The Ethernet module firmware v.3.04 does not properly validate or enforce authentication controls.

What this means

What could happen

An attacker with network access to the Acuvim II meter could bypass authentication and access meter functions, potentially reading billing data, modifying configuration settings, or disrupting meter operations in energy distribution systems.

Who's at risk

Energy utilities and municipal electric providers using Accuenergy Acuvim II power meters with AXN-NET Ethernet modules for billing, monitoring, or data collection. This affects revenue metering equipment in substations and large commercial/industrial sites.

How it could be exploited

An attacker on the network sends requests to the AXN-NET Ethernet module (port 502 or web interface) without valid credentials. The module fails to properly validate authentication due to type confusion or client-side enforcement, allowing the attacker to interact with meter functions and access sensitive data or change settings.

Prerequisites

Network access to the AXN-NET Ethernet module
No valid authentication credentials required

no authentication requiredremotely exploitableno patch availableaffects billing/metering systems

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

AXN-NET Ethernet module: v.3.04v.3.04No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDIsolate the AXN-NET Ethernet module from untrusted networks using a firewall or air-gap; restrict network access to the meter to trusted engineering workstations and control systems only

WORKAROUNDDisable Ethernet connectivity on the meter if not required for operations; use hardwired serial connections (Modbus RTU) instead of networked (Modbus TCP) where possible

Mitigations - no patch available

0/3

AXN-NET Ethernet module: v.3.04 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor network traffic to and from the meter for unauthorized access attempts or unusual data requests

HARDENINGPlace the meter behind a network segmentation boundary; implement network access controls (ACLs) limiting connections to known, trusted devices

HARDENINGContact Accuenergy to determine if a firmware update or replacement module is available; evaluate migration to a newer meter model with patched Ethernet modules

CVEs (2)

CVE-2014-2373 CVE-2014-2374

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4dedddb0-61c5-4e67-b65b-bfabdebe5890