OTPulse
FeedAboutContact

Nedap Librix Ecoreader

Plan Patch8.6ICS-CERT ICSA-25-007-02Jan 7, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Nedap Librix Ecoreader contains an authentication bypass vulnerability (CWE-306) affecting all versions. The vulnerability allows remote code execution without requiring authentication or special network access. Nedap did not respond to CISA coordination attempts and has not released a patch.

What this means
What could happen
An attacker could remotely execute commands on the Ecoreader device without authentication, potentially altering access control configurations, modifying entry/exit systems, or disrupting facility operations.
Who's at risk
Organizations operating Nedap Librix Ecoreader devices for access control, badge readers, or facility entry/exit management should prioritize isolation of these devices. This affects buildings, data centers, and critical infrastructure facilities relying on Ecoreader for physical security and access logging.
How it could be exploited
An attacker with network access to the Ecoreader (typically port 80/443 or the device's management interface) can send a specially crafted request that bypasses authentication checks. This allows them to inject and execute arbitrary code on the device, gaining full control of its functionality.
Prerequisites
  • Network reachability to the Ecoreader device (no firewall blocking access)
  • No authentication credentials required
  • Low complexity attack (public network protocol, no advanced exploitation techniques needed)
remotely exploitableno authentication requiredlow complexityno patch availablehigh severity (CVSS 8.6)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Ecoreader: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGIsolate Ecoreader devices from Internet access—ensure they are not reachable from outside your facility network
HARDENINGPlace Ecoreader devices behind a firewall or network segmentation boundary; restrict access to authorized engineering workstations and management systems only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDIf remote access to Ecoreader is required, implement a VPN with strong encryption and multi-factor authentication; keep VPN software patched
Mitigations - no patch available
0/2
Ecoreader: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGMonitor for and log all network connections to Ecoreader devices; alert on unexpected access patterns
HARDENINGReview and document which systems and personnel need direct access to Ecoreader; revoke unnecessary access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3ba92381-00a3-49cf-80bf-46ed64bf5d1f
Nedap Librix Ecoreader | CVSS 8.6 - OTPulse