Share: Email | Twitter

ID

VDE-2024-061

Published

2025-06-30 12:00 (CEST)

Last update

2025-06-27 09:51 (CEST)

Vendor(s)

ifm electronic GmbH

Product(s)

Article No° Product Name Affected Version(s)
Smart PLC AC4xxS Firmware V4.04 < V4.3.17
Smart PLC AC4xxS Firmware V6.1.8

Summary

A vulnerability has been disclosed in PLC ifm AC4xxS that allows an attacker to trigger the safety state with the help of a specially crafted html request. This leads to a loss of availability.


Last Update:

27. Juni 2025 09:50

Weakness

Missing Authentication for Critical Function  (306) 

Summary

The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication.


Impact

An unauthorized attacker can exploit this vulnerability to issue malicious commands to the PLC, potentially disrupting or damaging the production line.

Solution

Mitigation

When using automation components, make sure that no unauthorized access can take place. In addition, measures should be taken to ensure that the components do not have direct access to Internet resources and that they cannot be accessed from insecure networks. Use available security measures such as authentication and authorization groups.

PLC with firmware V6.1.8 http interface can be disabled.

Reported by

CERT@VDE coordinated with ifm electronic GmbH

Reported by Dmytro Kryhin of National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”