ZF Roll Stability Support Plus (RSSPlus)

MonitorCVSS 5.4ICS-CERT ICSA-25-021-03Jan 21, 2025

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

ZF RSSPlus 2M contains an authentication bypass vulnerability in its J2497 powerline communication protocol implementation. An unauthenticated attacker with RF equipment in proximity can call diagnostic functions on the trailer control module, potentially disrupting roll stability monitoring or altering system integrity. The affected builds are RSSPlus 2M versions built between January 8 and January 23. No firmware patch is planned; ZF recommends disabling J2497 features (except LAMP ON detection) and migrating to newer trailer bus technology with proper authentication.

What this means

What could happen

An attacker with RF equipment in proximity to a vehicle could trigger diagnostic functions on the RSSPlus trailer control module without authentication, potentially disrupting roll stability monitoring or altering vehicle behavior.

Who's at risk

Fleet operators and logistics companies managing vehicles equipped with ZF RSSPlus 2M roll stability modules are affected. This includes trucking operations, trailer manufacturers, and fleet maintenance teams responsible for vehicles using J2497-based trailer bus communication.

How it could be exploited

An attacker with RF transmission equipment broadcasts specially crafted J2497 protocol messages to the vehicle's trailer bus within RF range. The RSSPlus module accepts the diagnostic function calls because it does not properly authenticate the sender, allowing the attacker to invoke functions that impact system availability or integrity.

Prerequisites

RF transmission equipment capable of broadcasting on J2497 powerline communication frequency
Physical proximity to the vehicle (proximal/adjacent RF range)
No authentication required to trigger diagnostic functions
Target vehicle must be running the affected RSSPlus build dates

remotely exploitable via RFno authentication requiredaffects vehicle safety systems (roll stability)no patch available (end-of-life product)low complexity attack

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

RSSPlus 2M: >=build_dates_01/08|<=build_dates_01/23≥ build dates 01/08|≤ build dates 01/23No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable all J2497 protocol features except LAMP ON detection to prevent acceptance of malicious diagnostic commands

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGInstall RF chokes on trailer between chassis ground and wiring ground to reduce RF susceptibility

HARDENINGImplement dynamic address changes on tractor in response to detecting unexpected RF transmitters

Mitigations - no patch available

0/2

RSSPlus 2M: >=build_dates_01/08|<=build_dates_01/23 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor new trailer equipment: migrate diagnostics to newer trailer bus technology that includes authentication

HARDENINGFor new tractor equipment: remove support for J2497 message reception except for LAMP messages

CVEs (1)

CVE-2024-12054

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46ce948f-b8bd-48ba-bd13-d9c9c121a187

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.