LOYTEC Electronics LINX Series

Plan PatchCVSS 8.2ICS-CERT ICSA-24-247-01Sep 3, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LOYTEC LINX Series building automation controllers contain multiple vulnerabilities in HTTP communication and firmware verification that allow attackers to disclose sensitive information (credentials, configuration data) or modify device settings without authentication. Affected products include LINX-151, LINX-212, LVIS-3ME12-A1, LIOB-586, LIOB-580 V2, LIOB-588, and L-INX Configurator software across all versions. Vulnerabilities include unencrypted transmission of sensitive data (CWE-319), missing authentication (CWE-306), unencrypted storage of credentials (CWE-312), and improper access control on configuration files (CWE-284).

What this means

What could happen

An attacker could read sensitive configuration data (credentials, setpoints) from LOYTEC building automation controllers or modify device settings and firmware, disrupting HVAC, lighting, or energy management operations in buildings.

Who's at risk

Building automation operators and facilities managers using LOYTEC LINX series controllers (LINX-151, LINX-212, LVIS-3ME12-A1, LIOB series devices, and L-INX Configurator software) for HVAC, lighting, and energy management should be aware that these devices have multiple unpatched vulnerabilities allowing credential theft and unauthorized modifications.

How it could be exploited

An attacker on the network sends unencrypted HTTP requests to the LOYTEC device to access registry and configuration files (CVE-2023-46380, 46382, 46383, 46385), or uploads malicious firmware without proper signature verification (CVE-2023-46381, 46384, 46386, 46388, 46389). No authentication is required for the HTTP-based vulnerabilities.

Prerequisites

Network access to the LOYTEC device on the HTTP port (typically 80)
LOYTEC device must have HTTP enabled (default configuration)
For firmware modification exploits: ability to reach the firmware upload interface

remotely exploitableno authentication required for HTTP-based exploitslow complexityno patch available for affected productsaffects building critical infrastructure (HVAC/lighting)

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

LINX-151: vers:all/*All versions8.2.8

LINX-212: vers:all/*All versions8.2.8

LVIS-3ME12-A1: vers:all/*All versions8.2.8

LIOB-586: vers:all/*All versions8.2.8

LIOB-580 V2: vers:all/*All versions8.2.8

LIOB-588: vers:all/*All versions8.2.8

L-INX Configurator: vers:all/*All versions8.2.8

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable HTTP protocol on all LOYTEC devices and use HTTPS only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected LOYTEC products to firmware version 8.2.8 or later

Long-term hardening

0/3

HARDENINGSegment building automation networks from business networks using firewalls

HARDENINGRestrict network access to LOYTEC devices to authorized engineering workstations and control systems only

HARDENINGMonitor for unauthorized firmware uploads and configuration file access attempts

CVEs (10)

CVE-2023-46380 CVE-2023-46381 CVE-2023-46382 CVE-2023-46383 CVE-2023-46384 CVE-2023-46385 CVE-2023-46386 CVE-2023-46387 CVE-2023-46388 CVE-2023-46389

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b0f220f0-15af-44c6-9e46-26a8610b9ab0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.