Advantech EKI-1524-CE series

Monitor5.4ICS-CERT ICSA-23-269-04Sep 26, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Advantech EKI-1524-CE, EKI-1522-CE, and EKI-1521-CE series industrial Ethernet switches running firmware version 1.24 and earlier contain a cross-site scripting (XSS) vulnerability in the management web interface. An attacker with valid credentials could craft a malicious link that, when clicked by an authenticated user, executes arbitrary code within the user's session context. This could allow unauthorized modification of switch configuration, traffic redirection, or disruption of communications between connected industrial devices.

What this means

What could happen

An attacker with valid login credentials and user interaction could execute arbitrary code in the context of a user's session on these industrial Ethernet switches, potentially allowing them to modify network traffic, alter switch configuration, or disrupt communications on connected industrial equipment.

Who's at risk

Industrial and municipal water/electric utilities using Advantech EKI-1524-CE, EKI-1522-CE, or EKI-1521-CE series managed industrial Ethernet switches in control networks should be concerned. These switches are commonly deployed to connect PLCs, SCADA systems, and other critical equipment in operational networks.

How it could be exploited

An attacker would need to trick a user with switch access into clicking a malicious link or opening an attachment while logged in to the Advantech management interface. This would execute arbitrary JavaScript in the user's session context, allowing the attacker to perform actions the user is authorized to perform on the device.

Prerequisites

Valid login credentials to the switch management interface
Network access to the management port (typically port 80/443)
User must click malicious link or open attachment while logged in
User interaction required (not fully automated)

Remotely exploitable (requires network access to management interface)Low complexity attack (social engineering / phishing)Requires valid credentials and user interactionLow EPSS score but no patch currently available for older firmware versions

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

EKI-1524-CE series: <= 1.24≤ 1.241.26 or later

EKI-1522-CE series: <= 1.24≤ 1.241.26 or later

EKI-1521-CE series: <= 1.24≤ 1.241.26 or later

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to switch management interfaces to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EKI-1524-CE, EKI-1522-CE, and EKI-1521-CE switches to firmware version 1.26 or later

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate industrial Ethernet switches from business networks and the internet

HARDENINGUse VPN with the latest security updates for any required remote access to switch management interfaces

HARDENINGTrain users not to click links in unsolicited emails or open attachments while logged into industrial devices

CVEs (2)

CVE-2023-4202 CVE-2023-4203

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ccd55461-a9d4-4b74-aff2-c4520cd68c6e