AutomationDirect C-MORE EA9 HMI
Plan Patch7.5ICS-CERT ICSA-24-086-01Mar 26, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple C-MORE EA9 HMI models and software variants are vulnerable to remote code injection through buffer overflow, path traversal, and credential hardcoding vulnerabilities (CWE-22, CWE-121, CWE-256). An attacker with network access can inject and execute malicious code on the HMI without authentication, potentially compromising the operator interface and enabling manipulation of monitored processes. Affected versions are 6.77 and earlier across all C-MORE EA9 hardware models (EA9-T6CL, EA9-T7CL, EA9-T8CL, EA9-T10CL, EA9-T10WCL, EA9-T12CL, EA9-T15CL, EA9-RHMI, EA9-PGMSW) and the industrial remote HMI variant (EA0-T7CL-R).
What this means
What could happen
An attacker with network access to a C-MORE EA9 HMI could inject malicious code and take control of the panel, potentially altering operator displays, disabling alarms, or interfering with process monitoring and control functions on the connected equipment.
Who's at risk
Manufacturing facilities using AutomationDirect C-MORE EA9 HMI panels (all sizes from 6-inch to 15-inch touchscreens, plus software variants) for equipment monitoring and control should prioritize this vulnerability. This includes discrete manufacturers, process plants, machine builders, and any facility where the HMI serves as the operator interface for PLCs or other control devices.
How it could be exploited
An attacker on the network could send a specially crafted request to the vulnerable HMI device (port 502 or Ethernet/IP protocol). The vulnerability allows code injection without authentication, enabling the attacker to execute arbitrary commands on the panel's runtime environment. Once code is injected, the attacker can modify the HMI application logic or display.
Prerequisites
- Network access to the C-MORE EA9 HMI device (typically port 502 for Modbus/TCP or port 44818 for EtherNet/IP)
- No authentication required for exploitation
- HMI firmware version 6.77 or earlier
remotely exploitableno authentication requiredlow complexityno patch availableaffects control system visibility and operator interface
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (11)
6 with fix5 pending
ProductAffected VersionsFix Status
C-MORE EA9 HMI EA9-T10CL: <=6.77≤ 6.77No fix yet
C-MORE EA9 HMI EA9-T15CL: <=6.77≤ 6.77No fix yet
C-MORE EA9 HMI EA9-T15CL-R: <=6.77≤ 6.77No fix yet
C-MORE EA9 HMI EA9-RHMI: <=6.77≤ 6.77No fix yet
C-MORE EA9 HMI EA9-PGMSW: <=6.77≤ 6.77No fix yet
C-MORE EA9 HMI EA9-T6CL: <=6.77≤ 6.776.78
C-MORE EA9 HMI EA9-T7CL: <=6.77≤ 6.776.78
C-MORE EA9 HMI EA0-T7CL-R: <=6.77≤ 6.776.78
Remediation & Mitigation
0/5
Do now
0/3HARDENINGImplement network segmentation to isolate the HMI and connected control systems from the business network and internet
WORKAROUNDRestrict network access to the HMI using firewall rules to allow only authorized engineering and operator workstations
HARDENINGDeploy the HMI behind a firewall and ensure it is not directly accessible from the internet
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate AutomationDirect C-MORE EA9 HMI firmware to version 6.78 or later
Long-term hardening
0/1HARDENINGIf remote access is required, implement a VPN with current security patches and limit access to specific users and IP addresses
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/08304ee2-763b-4ede-995d-d4f4492b0f50