GMOD Apollo

Act Now9.8ICS-CERT ICSA-25-063-07Mar 4, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GMOD Apollo versions prior to 2.8.0 contain multiple vulnerabilities related to authentication bypass (CWE-306), improper access control (CWE-266), path traversal (CWE-23), and information disclosure (CWE-209). Successful exploitation allows remote attackers without credentials to escalate privileges, upload malicious files, or disclose sensitive information.

What this means

What could happen

An attacker with network access to Apollo could bypass authentication, escalate privileges, upload and execute malicious files, or access sensitive configuration and system data—potentially allowing full control of the device and any systems it manages or monitors.

Who's at risk

Organizations using GMOD Apollo in automation, monitoring, or control applications should prioritize patching. This includes water utilities, electric utilities, manufacturing facilities, and any other entity using Apollo for supervisory or process control functions.

How it could be exploited

An attacker on the network can send specially crafted requests to the Apollo service on its listening port. The lack of authentication requirements and input validation allows the attacker to bypass access controls and directly escalate privileges or upload malicious files to the system.

Prerequisites

Network connectivity to the Apollo device or service on its listening port
No valid credentials required

Remotely exploitable without authenticationLow complexity attackCritical CVSS score (9.8)Allows privilege escalation and file uploadAffects multiple CWE categories including improper access control and path traversal

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

Apollo: <2.8.0<2.8.02.8.0

Remediation & Mitigation

0/3

Do now

0/2

HOTFIXUpdate Apollo to version 2.8.0 or later

HARDENINGRestrict network access to Apollo devices: place them behind firewalls and isolate from business networks and the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access to Apollo is required, use a VPN with the latest security patches

CVEs (4)

CVE-2025-21092 CVE-2025-23410 CVE-2025-24924 CVE-2025-20002

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/edb24073-023e-4eea-9bdb-4e440f098667