Carrier Block Load

Plan PatchCVSS 7.8ICS-CERT ICSA-25-063-01Mar 4, 2025

Carrier

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Carrier Block Load versions 4.10 through 4.15 contain a code execution vulnerability that allows local attackers to execute arbitrary code with elevated privileges through a user interaction vector. The vulnerability stems from improper input validation (CWE-427) and could allow an attacker to modify system files or access sensitive data on affected workstations. Carrier has released version 4.2 and later to address this issue.

What this means

What could happen

An attacker with local access to a workstation running Block Load could execute arbitrary code with elevated privileges, potentially compromising the integrity of load scheduling data or control logic for HVAC systems at critical facilities.

Who's at risk

Building automation engineers and facilities managers using Carrier Block Load on Windows workstations for HVAC load scheduling and control. This affects organizations that depend on Block Load for chiller plant optimization, demand-side management, or energy management at commercial facilities, hospitals, and data centers.

How it could be exploited

The vulnerability requires a user to open or interact with a malicious file on a workstation where Block Load is installed (local execution, requires user interaction). Once triggered, the attacker gains the ability to run code with the same privileges as the application, potentially allowing modification of system files or access to sensitive building control data.

Prerequisites

Local access to a Windows workstation with Block Load version 4.10 through 4.15 installed
User interaction required (opening or executing a malicious file)
No special credentials or network access required for exploitation itself

Low attack complexityUser interaction requiredLocal access required (reduces internet-based risk)Affects engineering workstations that may have access to control systems

Exploitability

Some exploitation risk — EPSS score 1.5%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

Block Load: 4.00|>=v4.10|<4.164.00|≥ v4.10|<4.164.2+

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict file execution and suspicious file access on workstations running Block Load using application whitelisting or AppLocker controls

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Block Load to version 4.2 or later on all affected workstations

Long-term hardening

0/2

HARDENINGLimit user accounts running Block Load to standard (non-administrative) privileges to minimize damage if the application is compromised

HARDENINGIsolate engineering workstations running Block Load from the internet and limit connectivity to only authorized management networks

CVEs (1)

CVE-2024-10930

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0ced4ad2-147c-4b31-8efe-1c5cb369eda4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.