OTPulse

Labkotec LID-3300IP

Plan PatchCVSS 9.4ICS-CERT ICSA-26-062-05Mar 3, 2026
Energy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Labkotec LID-3300IP ice detection device contains authentication and encryption weaknesses in its network communications. Labkotec has determined that secure encrypted network traffic cannot be implemented on the original LID-3300IP model due to hardware limitations. The vulnerability allows unauthenticated attackers on the network to send commands to the device and alter its operation. LID-3300IP Type 2 can receive firmware updates (V2.40 addresses this), but the original LID-3300IP model will not be patched. Devices not connected to Ethernet networks are unaffected.

What this means
What could happen
An attacker with network access to the device could gain unauthorized control over ice detection operations, potentially disabling safety alerts and creating hazards in energy facilities such as power plants or transmission infrastructure.
Who's at risk
Energy sector facilities using Labkotec LID-3300IP ice detection systems in power plants, substations, or transmission equipment. Older LID-3300IP models are at higher risk because they cannot be patched; only LID-3300IP Type 2 can receive firmware updates.
How it could be exploited
An attacker on the same network segment as the device can send unauthenticated commands to the LID-3300IP over unencrypted network traffic. The device has no authentication mechanism for network operations, allowing the attacker to alter ice detection settings, trigger false alerts, or disable monitoring without any credentials or special knowledge of the system.
Prerequisites
  • Network access to the LID-3300IP device (same network segment or routed path)
  • Device must be connected to an Ethernet network
  • No authentication credentials required
Remotely exploitable over networkNo authentication requiredLow attack complexityNo patch available for legacy LID-3300IP modelsAffects safety-critical ice detection systemsDefault credentials likely in use
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
LID-3300IP Type 2: <V2.20<V2.20No fix (EOL)
LID-3300IP: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/4
HARDENINGEnable HTTPS for all network traffic to the device
HARDENINGChange default credentials on the device web interface
HARDENINGPlace the device on a segregated internal network; do not connect directly to the internet or untrusted networks
HARDENINGImplement firewall rules to restrict network access to the device to only authorized management workstations and control systems
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade LID-3300IP Type 2 devices to firmware version V2.40 or later
HOTFIXReplace older LID-3300IP models with LID-3300IP Type 2 devices (older models have no available firmware fix)
View full CISA ICS-CERT advisory
API: /api/v1/advisories/71102408-1ea6-4de9-a531-ba22810c43d4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.