Carrier Block Load

MonitorCVSS 7.8ICS-CERT ICSA-25-051-03Feb 20, 2025

Carrier

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Carrier Block Load version 4.16 contains an arbitrary code execution vulnerability triggered by opening a malicious file. Successful exploitation allows an attacker to execute code with elevated privileges on the affected system. The vendor has not planned to release a patch for this product.

What this means

What could happen

An attacker who tricks a user into opening a malicious file could execute arbitrary code with elevated privileges on a system running Block Load, potentially compromising the system and any connected building management or HVAC control networks.

Who's at risk

Building automation and HVAC system operators at facilities using Carrier Block Load for energy management and control. Contractors and consultants who remotely configure or troubleshoot these systems are at particular risk if they download and open project files from email or file-sharing services.

How it could be exploited

An attacker crafts a malicious file (likely a project file or document) and sends it to a Block Load user. When the user opens the file without verifying its source, the application executes the embedded code with the privileges of the logged-in user, allowing the attacker to gain elevated access to the system and potentially adjacent OT networks.

Prerequisites

User interaction required: victim must open the malicious file
Local access to or ability to deliver a file to the Block Load system
Block Load version 4.16 installed

User interaction required (social engineering risk)Local access required but file-based attack lowers barrierEscalated privileges possibleNo patch available

Exploitability

Some exploitation risk — EPSS score 1.5%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

Block Load: 4.164.16No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict Block Load access to trusted engineering staff only; use role-based access controls to limit who can install and modify software on systems running Block Load

WORKAROUNDEducate Block Load users not to open files from untrusted sources and to verify the source of any project files before opening

Mitigations - no patch available

0/2

Block Load: 4.16 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGDisable or restrict file-sharing capabilities between Block Load systems and general IT networks; use network segmentation to isolate building automation systems

HARDENINGMonitor systems running Block Load for unauthorized privilege escalation or process execution; log and review file-open events in Block Load

CVEs (1)

CVE-2024-10930

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4b2b10df-2f5a-4bc0-8cec-4f3f7672c02d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.