AutomationDirect C-more EA9 HMI
Act Now9.8ICS-CERT ICSA-25-035-08Feb 4, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability (CWE-120) exists in AutomationDirect C-more EA9 HMI devices running firmware version 6.79 and earlier. The vulnerability allows an attacker with network access to send a specially crafted input that is not properly bounds-checked, leading to remote code execution or denial of service on the affected device. The vulnerability is remotely exploitable and requires no authentication to exploit.
What this means
What could happen
An attacker with network access to a C-more EA9 HMI could execute arbitrary code or crash the device, potentially disrupting the operator's ability to monitor and control manufacturing processes.
Who's at risk
Manufacturing facilities using AutomationDirect C-more EA9 HMI devices (models EA9-T6CL, EA9-T7CL, EA9-T7CL-R, EA9-T8CL, EA9-T10CL, EA9-T10WCL, EA9-T12CL, EA9-T15CL, EA9-T15CL-R, or EA9-RHMI) running firmware version 6.79 or earlier. These touchscreen operator interfaces are commonly used to monitor and control manufacturing equipment on the production floor.
How it could be exploited
An attacker on the network sends a malformed input to the vulnerable C-more EA9 HMI (CWE-120 buffer overflow). The device accepts the input without proper bounds checking and the attacker's code executes with the device's privileges. This could allow the attacker to read sensitive data, modify process parameters, or stop the HMI from functioning.
Prerequisites
- Network access to the C-more EA9 HMI on the port it uses for communication (typically Ethernet)
- No authentication required to exploit the vulnerability
Remotely exploitableNo authentication requiredLow complexity attackNo patch available from vendorBuffer overflow vulnerability allows arbitrary code execution
Exploitability
Moderate exploit probability (EPSS 3.0%)
Affected products (10)
10 pending
ProductAffected VersionsFix Status
C-more EA9 HMI EA9-T6CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T7CL-R: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T7CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T8CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T10CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T10WCL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T12CL: <=v6.79≤ v6.79No fix yet
C-more EA9 HMI EA9-T15CL-R: <=v6.79≤ v6.79No fix yet
Remediation & Mitigation
0/9
Do now
0/6HARDENINGIsolate the HMI workstation from external networks (internet, corporate LAN) and use dedicated, air-gapped systems for communication with programmable devices
HARDENINGRestrict physical and logical access to the HMI to authorized personnel only
WORKAROUNDDeploy application whitelisting to allow only pre-approved software to execute on the HMI
WORKAROUNDInstall antivirus or endpoint detection and response (EDR) tools on the HMI workstation to monitor for and block threats
WORKAROUNDConfigure host-based firewall rules to block unauthorized access to the HMI
HARDENINGEnable logging and monitoring of HMI system activities; regularly review logs for suspicious behavior
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate C-more EA9 HMI software and firmware to version 6.80 or later
Long-term hardening
0/2HARDENINGCreate regular secure backups of the HMI workstation and its configurations; test recovery procedures
HARDENINGUse VPNs with the latest updates for any remote access to the HMI, recognizing VPN security depends on the security of connected devices
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/be728cd2-7ccf-46e3-a436-45f4815176c5