Digi ConnectPort X2D

Plan PatchCVSS 10ICS-CERT ICSA-22-216-01Aug 4, 2022

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Digi ConnectPort X2D Gateway manufactured before January 2020 contains a vulnerability (CWE-250: Execution with Unnecessary Privileges) that allows an attacker to execute arbitrary code on the device. Successful exploitation could result in complete compromise of the gateway, potentially allowing interception or manipulation of control system communications. Digi International has not released a patch for this vulnerability; instead, the company indicates the vulnerability does not exist in gateways manufactured after January 2020.

What this means

What could happen

An attacker with network access to the ConnectPort X2D could execute arbitrary code on the gateway, potentially allowing them to intercept, modify, or block communications between your control systems and remote monitoring or management systems.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Digi ConnectPort X2D gateways manufactured before January 2020 for remote monitoring, data concentration, or cellular/WAN connectivity. These gateways are commonly used to connect distributed control systems, PLCs, and RTUs to central management systems.

How it could be exploited

An attacker on the network sends a specially crafted request to the vulnerable ConnectPort X2D gateway (which acts as a remote device server and data router). The gateway processes the request without proper authorization checks and allows arbitrary code execution. This could be done remotely over the Internet if the gateway is publicly reachable, or from inside your network.

Prerequisites

Network access to the ConnectPort X2D gateway (port unknown from advisory, but likely HTTP/HTTPS)
The device must be running firmware version manufactured before January 2020
No authentication credentials required

remotely exploitableno authentication requiredlow complexityno patch available for legacy hardwareaffects critical infrastructure connectivity

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Digi ConnectPort X2D Gateway: all< january 2020No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to ensure ConnectPort X2D gateways are not accessible from the Internet or untrusted networks

HARDENINGPlace the gateway behind a firewall and restrict inbound access to only required management IPs and control system connections

HARDENINGIf remote access is required, implement a VPN tunnel and restrict gateway access through the VPN only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXReplace or upgrade ConnectPort X2D gateways manufactured before January 2020 with units manufactured after January 2020, or contact Digi International support for patched firmware options

CVEs (1)

CVE-2022-2634

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c8536549-df18-4e08-86af-9de021998b65

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.