Advantech ADAM-5550

Plan Patch8.8ICS-CERT ICSA-24-270-01Sep 26, 2024

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Advantech ADAM-5550 contains two vulnerabilities: improperly encoded user credentials (CWE-261) that can be intercepted by an attacker on the local network, and stored cross-site scripting (CWE-79) that allows an attacker with credentials to inject malicious code into the device's web pages. These issues could allow a local attacker to gain full administrative access and compromise the integrity of the device and any user interface connected to it. The vulnerabilities are not exploitable from the Internet and require Layer 2/3 network access.

What this means

What could happen

An attacker on the same local network can intercept and decode user credentials to gain full administrative access to the ADAM-5550, allowing them to modify device configuration or plant malicious code on the web interface that would be served to legitimate users.

Who's at risk

Water utilities and municipal electric systems using Advantech ADAM-5550 remote terminal units (RTUs) or data acquisition devices should prioritize replacement, as these devices cannot be patched. Any facility using ADAM-5550 for environmental monitoring, data collection, or remote process measurement is affected.

How it could be exploited

An attacker on the local network intercepts unencrypted or easily decodable authentication credentials sent by a legitimate user to the ADAM-5550. Using these credentials, the attacker logs into the device with full administrative privileges. The attacker can then inject malicious code into the device's web pages, which will be served to any user who accesses the device's web interface.

Prerequisites

Attacker must have Layer 2/3 network access to the same local network segment as the ADAM-5550 (cannot exploit from the Internet)
No valid user credentials required to intercept credentials or inject malicious code into web interface

No patch available - device is end-of-lifeWeak credential encoding allows interceptionAllows code injection into web interfaceAffects legacy industrial equipment with long service life

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Advantech ADAM 5550: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate ADAM-5550 from business networks and place behind firewall; restrict local network access to authorized users and devices only

HARDENINGIf remote access is required, deploy VPN with current patches to control access to the device

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXReplace ADAM-5550 with ADAM-5630 running firmware version 2.5.2 or higher

WORKAROUNDMonitor for suspicious local network activity targeting the ADAM-5550, including credential sniffing attempts

CVEs (2)

CVE-2024-37187 CVE-2024-38308

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/23ebf1e2-3c7b-423f-b69b-ef032b2cdb7c