OTPulse
FeedAboutContact

Digi ConnectPort X2D

Act Now10ICS-CERT ICSA-22-216-01Aug 4, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Digi ConnectPort X2D Gateway manufactured before January 2020 contains a vulnerability (CWE-250: Execution with Unnecessary Privileges) that allows an attacker to execute arbitrary code on the device. Successful exploitation could result in complete compromise of the gateway, potentially allowing interception or manipulation of control system communications. Digi International has not released a patch for this vulnerability; instead, the company indicates the vulnerability does not exist in gateways manufactured after January 2020.

What this means
What could happen
An attacker with network access to the ConnectPort X2D could execute arbitrary code on the gateway, potentially allowing them to intercept, modify, or block communications between your control systems and remote monitoring or management systems.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using Digi ConnectPort X2D gateways manufactured before January 2020 for remote monitoring, data concentration, or cellular/WAN connectivity. These gateways are commonly used to connect distributed control systems, PLCs, and RTUs to central management systems.
How it could be exploited
An attacker on the network sends a specially crafted request to the vulnerable ConnectPort X2D gateway (which acts as a remote device server and data router). The gateway processes the request without proper authorization checks and allows arbitrary code execution. This could be done remotely over the Internet if the gateway is publicly reachable, or from inside your network.
Prerequisites
  • Network access to the ConnectPort X2D gateway (port unknown from advisory, but likely HTTP/HTTPS)
  • The device must be running firmware version manufactured before January 2020
  • No authentication credentials required
remotely exploitableno authentication requiredlow complexityno patch available for legacy hardwareaffects critical infrastructure connectivity
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Digi ConnectPort X2D Gateway: all< january 2020No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGImplement network segmentation to ensure ConnectPort X2D gateways are not accessible from the Internet or untrusted networks
HARDENINGPlace the gateway behind a firewall and restrict inbound access to only required management IPs and control system connections
HARDENINGIf remote access is required, implement a VPN tunnel and restrict gateway access through the VPN only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXReplace or upgrade ConnectPort X2D gateways manufactured before January 2020 with units manufactured after January 2020, or contact Digi International support for patched firmware options
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c8536549-df18-4e08-86af-9de021998b65
Digi ConnectPort X2D | CVSS 10 - OTPulse