ifm: Improper Access Control vulnerability

VDE-2024-061

Last update

06/30/2025 12:00

Published at

06/30/2025 12:00

Vendor(s)

ifm electronic GmbH

External ID

VDE-2024-061

CSAF Document

Download

Summary

A vulnerability has been disclosed in PLC ifm AC4xxS that allows an attacker to trigger the safety state with the help of a specially crafted html request. This leads to a loss of availability.

Impact

An unauthorized attacker can exploit this vulnerability to issue malicious commands to the PLC, potentially disrupting or damaging the production line.

Affected Product(s)

Model no.	Product name	Affected versions
	ifm Smart PLC AC4xxS	Firmware V4.04<V4.3.17, Firmware V6.1.8

Vulnerabilities

Expand / Collapse all

Published

09/24/2025 12:37

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness

Missing Authentication for Critical Function (CWE-306)

References

cve.org | nvd.nist.gov

Mitigation

When using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.

PLC with firmware V6.1.8 http interface can be disabled.

Acknowledgments

ifm electronic GmbH thanks the following parties for their efforts:

CERT@VDE for coordination (see https://certvde.com )
Dmytro Kryhin from National Technical University of Ukraine "Igor Sikorsky Kyiv Polytechnic Institute" for reporting (see https://kpi.ua/en )

Revision History

Version	Date	Summary
1	06/30/2025 12:00	Initial release.