PEPPERL+FUCHS: HMI devices are affected by Insecure Platform Key

VDE-2024-065

Last update

14.05.2025 14:28

Published at

26.11.2024 12:00

Vendor(s)

Pepperl+Fuchs SE

External ID

VDE-2024-065

CSAF Document

Download

Summary

A vulnerability in the use of hard-coded Platform Keys (PK) within the UEFI framework, known as PKfail, has been discovered in several Pepperl+Fuchs devices.

Impact

An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised.

Affected Product(s)

Model no.	Product name	Affected versions
70170119	BTC22-NA-1BA1-NN0	BIOS <1.01
70179516	BTC22-NA-1BAJ-NN0	BIOS <1.01
70173575	BTC24-NA-1AA1-NN0	BIOS <1.01
70179517	BTC24-NA-1AAJ-NN0	BIOS <1.01
70124565	PC-320*	BIOS <1.02
70124565	RM-320*	BIOS <1.02

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:58

Severity

6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Weakness

Use of Default Cryptographic Key (CWE-1394)

Summary

A vulnerability related to the use an insecure Platform Key (PK) has been discovered. An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised.

References

cve.org | nvd.nist.gov

Mitigation

Protect the device from unauthorized physical access.

Remediation

Install the appropiate updates from the Pepperl+Fuchs Homepage:
* 18-34761B (BIOS 1.01) for BTC22-
* 18-35033B (BIOS 1.01) for BTC24-
* 18-34132C (BIOS 1.02) for RM-320
* 18-34132C / 18-34133E (BIOS 1.02) for PC320

Revision History

Version	Date	Summary
1	26.11.2024 12:00	Initial revision.
2	14.05.2025 14:28	Fix: version space

PEPPERL+FUCHS: HMI devices are affected by Insecure Platform Key

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2024-8105 6.4

Mitigation

Remediation

Revision History