Nedap Librix Ecoreader

Plan PatchCVSS 8.6ICS-CERT ICSA-25-007-02Jan 7, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Nedap Librix Ecoreader devices (all versions) contain an authentication bypass vulnerability (CWE-306) that could allow remote code execution. The vulnerability requires network access but no authentication, and successful exploitation could result in arbitrary code execution on the device. Nedap Librix has not responded to coordination attempts and has not released a patch.

What this means

What could happen

An attacker with network access to the Ecoreader could execute arbitrary code on the device, potentially allowing them to manipulate access control decisions or tamper with badge/credential verification systems in physical security deployments.

Who's at risk

Organizations using Nedap Librix Ecoreader devices for access control and physical security, particularly in facilities where badge readers are networked to central verification systems (such as corporate offices, data centers, critical infrastructure sites, and government buildings).

How it could be exploited

An attacker with unauthenticated network access to the Ecoreader sends a malicious request to the device that bypasses authentication requirements (CWE-306) and causes the device to execute arbitrary code. No user interaction is required.

Prerequisites

Network access to the Ecoreader device (typically TCP/IP connected)
Device must be running a vulnerable version of Ecoreader firmware (all versions affected)

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety/security systems

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Ecoreader: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to Ecoreader devices using firewall rules to allow communication only from authorized management systems and credential readers

HARDENINGPlace Ecoreader devices on an isolated network segment separate from business networks and the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access to Ecoreader is required, implement a VPN tunnel and ensure the VPN is kept up to date with the latest patches

Mitigations - no patch available

0/1

Ecoreader: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor Ecoreader devices for unexpected network traffic or command execution and alert on any suspicious activity

CVEs (1)

CVE-2024-12757

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3ba92381-00a3-49cf-80bf-46ed64bf5d1f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.