Traffic Alert and Collision Avoidance System (TCAS) II

Plan PatchCVSS 8.2ICS-CERT ICSA-25-021-01Jan 21, 2024

Transportation

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Two vulnerabilities (CVE-2024-11166 and CVE-2024-9310) in TCAS II version 7.1 and earlier could allow an attacker with physical proximity to manipulate safety systems and cause denial of service. CVE-2024-11166 can be mitigated by upgrading to ACAS X or updating transponders to RTCA DO-181F compliance. No mitigation exists for CVE-2024-9310. These vulnerabilities require very specific conditions to exploit and are not remotely exploitable; they have high attack complexity and are unlikely to be exploited outside laboratory settings.

What this means

What could happen

An attacker with physical proximity to an aircraft's avionics could manipulate TCAS II collision warnings or prevent the system from functioning, potentially compromising the ability to detect and avoid mid-air collisions.

Who's at risk

Aviation operators and air traffic authorities managing aircraft equipped with TCAS II version 7.1 or earlier. This includes commercial airlines, regional carriers, and any organization operating aircraft with legacy TCAS II avionics. Air traffic management facilities that depend on correct TCAS II functioning for separation assurance are also impacted.

How it could be exploited

An attacker would need to be physically near the aircraft (not remotely exploitable) and would need to meet very specific lab-condition requirements to intercept and manipulate avionics signals or system states that TCAS II depends on for collision detection. The advisory notes these are difficult to exploit outside controlled laboratory settings.

Prerequisites

Physical proximity to the aircraft's avionics systems or communication pathways
Ability to meet very specific lab-condition requirements as noted in the advisory
No authentication bypass required under those conditions

affects safety systemsno patch available for legacy TCAS IImanipulation of collision avoidance warningshigh attack complexity mitigates practical risk

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Traffic Alert and Collision Avoidance System (TCAS) II TCAS II: <=7.1≤ 7.1No fix (EOL)

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade affected aircraft to ACAS X (Airborne Collision Avoidance System X) to fully mitigate CVE-2024-11166

HOTFIXUpgrade associated transponders to comply with RTCA DO-181F standard to mitigate CVE-2024-11166

Mitigations - no patch available

0/1

Traffic Alert and Collision Avoidance System (TCAS) II TCAS II: <=7.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor CVE-2024-9310: No mitigation currently available from vendor; monitor CISA advisories for future updates

CVEs (2)

CVE-2024-9310 CVE-2024-11166

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1370bbb7-faca-45de-b22e-b5b33593028e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.