Franklin Fueling Systems TS-550 EVO

Plan PatchCVSS 7.5ICS-CERT ICSA-24-268-03Sep 24, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability in Franklin Fueling Systems TS-550 EVO firmware versions prior to 2.26.4.8967 allows an attacker with network access to gain administrative access to the device without authentication. The vulnerability has a CVSS score of 7.5 (high severity) and affects the core fuel station controller that manages pump operations and transaction processing.

What this means

What could happen

An attacker could gain full administrative access to your TS-550 EVO fuel station controller, allowing them to modify pump operations, alter price displays, or disable transaction processing.

Who's at risk

Fuel station operators and fleet managers using Franklin Fueling Systems TS-550 EVO controllers should prioritize this update. The vulnerability affects the central point of control for all pump operations at a fueling location.

How it could be exploited

An attacker with network access to the TS-550 EVO can send a specially crafted request that exploits a path traversal vulnerability (CWE-36) to bypass authentication and obtain administrative credentials or privileges without providing valid login credentials.

Prerequisites

Network access to the TS-550 EVO on port 80 or 443 (HTTP/HTTPS)

remotely exploitableno authentication requiredlow complexityhigh attack impact (full administrative access)

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (1)

ProductAffected VersionsFix Status

TS-550 EVO: <2.26.4.8967<2.26.4.89672.26.4.8967

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the TS-550 EVO: block inbound connections from the internet and untrusted networks using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TS-550 EVO firmware to version 2.26.4.8967 or later

Long-term hardening

0/2

HARDENINGIsolate the fuel station controller network from your business network using a firewall or network segment

HARDENINGIf remote access to the TS-550 EVO is required, use a VPN with strong authentication and keep VPN software updated

CVEs (1)

CVE-2024-8497

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d5afde0-2ba3-4bc3-9703-e5152940113a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.