Tibbo AggreGate Network Manager

Plan Patch8.8ICS-CERT ICSA-24-354-05Dec 19, 2024

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

AggreGate Network Manager versions 6.34.02 and earlier contain an unrestricted file upload vulnerability (CWE-434) that allows authenticated users to upload and execute arbitrary files on the device. Successful exploitation could result in remote code execution on the management platform. The vulnerability affects the file upload mechanism used for device configuration or backup operations. Tibbo has released fixed versions 6.40.02, 6.34.03, and later that address this issue.

What this means

What could happen

An attacker with credentials and network access to the AggreGate Network Manager could upload and execute arbitrary code on the device, potentially allowing them to take control of network monitoring and management functions across your industrial devices.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Tibbo AggreGate Network Manager versions 6.34.02 and earlier should be concerned. This product is used for centralized monitoring and management of network devices—if compromised, an attacker could control or observe your industrial network configuration and potentially impact connected systems.

How it could be exploited

An attacker who has obtained valid login credentials could authenticate to the AggreGate Network Manager web interface or API, then upload a malicious file through a file upload feature (CWE-434: unrestricted file upload). The uploaded file could be executed by the application, giving the attacker code execution on the management platform itself. This could allow them to pivot to monitored devices or exfiltrate configuration data.

Prerequisites

Valid AggreGate Network Manager user credentials (administrator or unprivileged account)
Network connectivity to the AggreGate management interface (typically TCP port 80/443)
File upload functionality must be accessible and not properly validated on the target version

Remotely exploitable over networkRequires valid credentials (reduces but does not eliminate risk)Low complexity exploitation once insideNo patch available for version 6.34.02 and earlierAffects network management layer that may touch safety-critical systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Aggregate Network Manager: <=6.34.02≤ 6.34.026.40.02, 6.34.03

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDIf immediate update is not possible, restrict network access to the AggreGate management interface to trusted engineering workstations only using firewall rules or access control lists

WORKAROUNDDisable file upload features in AggreGate if they are not required for your operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AggreGate Network Manager to version 6.40.02, 6.34.03, or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate the AggreGate manager and all monitored devices from direct internet access

HARDENINGEnforce multi-factor authentication (MFA) for all AggreGate user accounts if the platform supports it

CVEs (1)

CVE-2024-12700

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/33f2f064-e691-41cd-bf68-863b3da21454