VIMESA VHF/FM Transmitter Blue Plus

MonitorCVSS 5.3ICS-CERT ICSA-24-298-01Oct 24, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

VIMESA VHF/FM Transmitter Blue Plus version 9.7.1 contains an improper access control vulnerability (CWE-284) that allows an attacker with network access to trigger a denial-of-service condition. The vulnerability affects the device's management interface and has no available patch. VIMESA has indicated it will not provide a fix for this product.

What this means

What could happen

An attacker with network access to the transmitter could trigger a denial-of-service condition, interrupting broadcast operations and taking the station off the air.

Who's at risk

This vulnerability affects broadcast radio stations operating VIMESA VHF/FM Transmitter Blue Plus systems. Any radio station, translator, or repeater network relying on this equipment for on-air transmission is at risk. The impact is operational: loss of transmitter availability means loss of broadcast service.

How it could be exploited

An attacker sends a specially crafted network packet to the transmitter's management interface, causing it to crash or stop responding. The attack requires only network reachability to the device—no authentication or special credentials are needed.

Prerequisites

Network access to the transmitter management interface
No credentials or authentication required

Remotely exploitableNo authentication requiredLow attack complexityNo patch availableAffects critical broadcast infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

VHF/FM Transmitter Blue Plus: v9.7.1v9.7.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate the VHF/FM transmitter from direct internet access; place it behind a firewall and restrict connections to authorized management networks only

WORKAROUNDIf remote access to the transmitter is required, use a VPN with strong authentication; ensure the VPN is kept up to date with the latest patches

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDContact VIMESA directly to inquire about mitigation options, as no vendor patch is planned

Mitigations - no patch available

0/2

VHF/FM Transmitter Blue Plus: v9.7.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to separate the transmitter management network from the main business network

HARDENINGMonitor network traffic to and from the transmitter for suspicious activity; implement intrusion detection rules to alert on attempted access to the transmitter management port

CVEs (1)

CVE-2024-9692

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/819704f8-d342-40f6-b49f-b29e45956e6a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.