ifm: Vulnerabilities in ifm AC14 firmware

VDE-2024-012

Last update

15.01.2026 12:00

Published at

09.07.2024 09:00

Vendor(s)

ifm electronic GmbH

External ID

VDE-2024-012

CSAF Document

Download

Summary

In ifm Smart PLC firmware up to version 4.3.17 for Smart PLC controllers AC14xx and AC4xxS, an attacker can access the configuration by using the hardcoded credentials. The endpoint hosts a scripts capable of executing various commands.

Impact

Please see the CVE description.

Affected Product(s)

Model no.	Product name	Affected versions
	Smart PLC AC1401	Firmware <=V4.3.17
	Smart PLC AC1402	Firmware <=V4.3.17
	Smart PLC AC1403	Firmware <=V4.3.17
	Smart PLC AC1404	Firmware <=V4.3.17
	Smart PLC AC1411	Firmware <=V4.3.17
	Smart PLC AC1412	Firmware <=V4.3.17
	Smart PLC AC1421	Firmware <=V4.3.17
	Smart PLC AC1423	Firmware <=V4.3.17
	Smart PLC AC1424	Firmware <=V4.3.17
	Smart PLC AC1433	Firmware <=V4.3.17
	Smart PLC AC1434	Firmware <=V4.3.17
	Smart PLC AC402s	Firmware <=V4.3.17
	Smart PLC AC422s	Firmware <=V4.3.17
	Smart PLC AC424s	Firmware <=V4.3.17
	Smart PLC AC432s	Firmware <=V4.3.17
	Smart PLC AC434s	Firmware <=V4.3.17

Vulnerabilities

Expand / Collapse all

Published

09.02.2026 08:38

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Use of Hard-coded Credentials (CWE-798)

References

cve.org | nvd.nist.gov

Published

09.02.2026 08:38

Severity

9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Weakness

Use of Hard-coded Credentials (CWE-798)

References

cve.org | nvd.nist.gov

Published

09.02.2026 08:38

Severity

7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

References

cve.org | nvd.nist.gov

Published

09.02.2026 08:38

Severity

7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

References

cve.org | nvd.nist.gov

Published

09.02.2026 08:38

Severity

7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

References

cve.org | nvd.nist.gov

Mitigation

When using automation components, make sure that no unauthorized access can take place. Addition measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.

Remediation

Update to Firmware Version 6.1.8 or later.

Acknowledgments

ifm electronic GmbH thanks the following parties for their efforts:

CERT@VDE for coordination (see https://certvde.com )
Logan Carpenter from Dragos for reporting

Revision History

Version	Date	Summary
1.0.0	09.07.2024 09:00	Initial revision.
1.1.0	27.08.2025 12:00	Update: CWE from CVE-2024-28751, Revision History
2.0.0	06.01.2026 12:00	Fixed Version range, Added Score to Vulnerability CVE-2024-28750, deleted "firmware" from the full product name of the hardware, changed Vulnerability title to CVE description
3.0.0	15.01.2026 12:00	Update Product information

ifm: Vulnerabilities in ifm AC14 firmware

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2024-28747 9.8

CVE-2024-28751 9.1

CVE-2024-28748 7.2

CVE-2024-28749 7.2

CVE-2024-28750 7.2

Mitigation

Remediation

Acknowledgments

Revision History