AutomationDirect C-more EA9 HMI
Plan PatchCVSS 9.8ICS-CERT ICSA-25-035-08Feb 4, 2025
AutomationDirectManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability (CWE-120) in AutomationDirect C-more EA9 HMI firmware versions 6.79 and earlier allows an unauthenticated attacker with network access to cause denial-of-service (crash) or execute arbitrary code on the affected device. The vulnerability affects all size variants of the EA9 series across multiple model numbers. As of now, no patched version is available; AutomationDirect is expected to release firmware version 6.80 as a fix, but it has not been released yet.
What this means
What could happen
An attacker with network access to the HMI could execute arbitrary code or crash the device, disrupting the visual interface used to monitor and control manufacturing processes or potentially injecting malicious commands into connected equipment.
Who's at risk
Manufacturing operations using AutomationDirect C-more EA9 HMI touchscreen panels for process monitoring and control. Facilities operating any of the affected model variants (6, 7, 8, 10, 12, or 15 inch displays) with firmware 6.79 or earlier should treat this as a critical risk. Network-connected facilities are at highest risk; isolated or air-gapped installations have lower immediate exposure.
How it could be exploited
An attacker sends a specially crafted network request to the vulnerable HMI. The device fails to validate the input properly (buffer overflow via CWE-120), allowing the attacker to overwrite memory and execute arbitrary code or crash the application. No authentication is required.
Prerequisites
- Network access to the C-more EA9 HMI device
- Device must be running firmware version 6.79 or earlier
- No authentication required
remotely exploitableno authentication requiredlow complexity attackcritical CVSS score (9.8)no patch available yetaffects HMI/operator interface (may impact operator awareness)
Exploitability
Some exploitation risk — EPSS score 3.0%
Affected products (10)
10 pending
ProductAffected VersionsFix Status
C-more EA9 HMI EA9-T6CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T7CL-R: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T7CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T8CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T10CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T10WCL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T12CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T15CL-R: <=v6.79≤ v6.79No fix yet
Remediation & Mitigation
0/6
Do now
0/4WORKAROUNDDisconnect the HMI workstation from external networks (internet and corporate LAN) until an update can be applied
HARDENINGRestrict physical and logical access to the HMI to authorized personnel only
HARDENINGConfigure host-based firewall rules to block unauthorized incoming connections to the HMI device
HARDENINGEnable logging and monitoring of HMI system activity to detect anomalous behavior or unauthorized access attempts
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate C-more EA9 HMI software and firmware to version 6.80 or later
HARDENINGDeploy application whitelisting on the HMI workstation to block execution of unauthorized software
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/be728cd2-7ccf-46e3-a436-45f4815176c5Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.