OTPulse
FeedAboutContact

Carrier Block Load

Plan Patch7.8ICS-CERT ICSA-25-063-01Mar 4, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Carrier Block Load versions 4.10 through 4.15 contain a vulnerability that allows arbitrary code execution with escalated privileges through an uncontrolled search path or untrusted search path (CWE-427). This vulnerability requires local access and user interaction to exploit.

What this means
What could happen
An attacker with local access to a machine running Block Load could execute arbitrary code with elevated privileges, potentially compromising the entire system and any connected control systems or networks it manages.
Who's at risk
Organizations using Carrier Block Load for HVAC system design, load calculations, or facility management should be concerned, particularly if Block Load is installed on engineering workstations or servers that interact with building control systems or connected to corporate networks.
How it could be exploited
An attacker must first gain local access to a computer running Block Load (e.g., via USB, shared folder, or compromised user account). The attacker then needs a user to interact with the application or execute a malicious file in the same directory. The application's unsafe search path handling then allows code execution with escalated privileges.
Prerequisites
  • Local access to the computer running Block Load
  • User interaction required (opening file or application interaction)
  • Block Load version 4.10 through 4.15 installed
Requires local access and user interactionLow EPSS score (0.8%)No patch available for vulnerable versions
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (1)
ProductAffected VersionsFix Status
Block Load: 4.00|>=v4.10|<4.164.00|≥ v4.10|<4.164.2 or later
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDRestrict local access to computers running Block Load; disable unnecessary local login accounts and enforce strong password policies
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Block Load to version 4.2 or later
Long-term hardening
0/3
HARDENINGMonitor for suspicious file activity or code execution on machines running Block Load
HARDENINGIsolate Block Load workstations from internet access and ensure they are behind firewalls
HARDENINGIf remote access to Block Load is needed, use VPN with current patches and additional access controls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0ced4ad2-147c-4b31-8efe-1c5cb369eda4
Carrier Block Load | CVSS 7.8 - OTPulse