AutomationDirect C-MORE EA9 HMI

Plan PatchCVSS 7.5ICS-CERT ICSA-24-086-01Mar 26, 2024

AutomationDirectManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple C-MORE EA9 HMI models and software variants are vulnerable to remote code injection through buffer overflow, path traversal, and credential hardcoding vulnerabilities (CWE-22, CWE-121, CWE-256). An attacker with network access can inject and execute malicious code on the HMI without authentication, potentially compromising the operator interface and enabling manipulation of monitored processes. Affected versions are 6.77 and earlier across all C-MORE EA9 hardware models (EA9-T6CL, EA9-T7CL, EA9-T8CL, EA9-T10CL, EA9-T10WCL, EA9-T12CL, EA9-T15CL, EA9-RHMI, EA9-PGMSW) and the industrial remote HMI variant (EA0-T7CL-R).

What this means

What could happen

An attacker with network access to a C-MORE EA9 HMI could inject malicious code and take control of the panel, potentially altering operator displays, disabling alarms, or interfering with process monitoring and control functions on the connected equipment.

Who's at risk

Manufacturing facilities using AutomationDirect C-MORE EA9 HMI panels (all sizes from 6-inch to 15-inch touchscreens, plus software variants) for equipment monitoring and control should prioritize this vulnerability. This includes discrete manufacturers, process plants, machine builders, and any facility where the HMI serves as the operator interface for PLCs or other control devices.

How it could be exploited

An attacker on the network could send a specially crafted request to the vulnerable HMI device (port 502 or Ethernet/IP protocol). The vulnerability allows code injection without authentication, enabling the attacker to execute arbitrary commands on the panel's runtime environment. Once code is injected, the attacker can modify the HMI application logic or display.

Prerequisites

Network access to the C-MORE EA9 HMI device (typically port 502 for Modbus/TCP or port 44818 for EtherNet/IP)
No authentication required for exploitation
HMI firmware version 6.77 or earlier

remotely exploitableno authentication requiredlow complexityno patch availableaffects control system visibility and operator interface

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (11)

6 with fix5 pending

ProductAffected VersionsFix Status

C-MORE EA9 HMI EA9-T10CL: <=6.77≤ 6.77No fix yet

C-MORE EA9 HMI EA9-T15CL: <=6.77≤ 6.77No fix yet

C-MORE EA9 HMI EA9-T15CL-R: <=6.77≤ 6.77No fix yet

C-MORE EA9 HMI EA9-RHMI: <=6.77≤ 6.77No fix yet

C-MORE EA9 HMI EA9-PGMSW: <=6.77≤ 6.77No fix yet

C-MORE EA9 HMI EA9-T6CL: <=6.77≤ 6.776.78

C-MORE EA9 HMI EA9-T7CL: <=6.77≤ 6.776.78

C-MORE EA9 HMI EA0-T7CL-R: <=6.77≤ 6.776.78

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation to isolate the HMI and connected control systems from the business network and internet

WORKAROUNDRestrict network access to the HMI using firewall rules to allow only authorized engineering and operator workstations

HARDENINGDeploy the HMI behind a firewall and ensure it is not directly accessible from the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AutomationDirect C-MORE EA9 HMI firmware to version 6.78 or later

Long-term hardening

0/1

HARDENINGIf remote access is required, implement a VPN with current security patches and limit access to specific users and IP addresses

CVEs (3)

CVE-2024-25136 CVE-2024-25137 CVE-2024-25138

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/08304ee2-763b-4ede-995d-d4f4492b0f50

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.