Detections
Analytics

Automated Logic WebCTRL Premium Server Unrestricted Upload of File with Dangerous Type (CVE-2024-8525)

critical Tenable OT Security Plugin ID 502854

Synopsis

The remote OT asset is affected by a vulnerability.

Description

CWE-434 Unrestricted Upload of File with Dangerous Type vulnerability exists which could allow an unauthenticated user to upload files of dangerous types without restrictions, leading to remote command execution.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Automated Logic has recommended the following:

- For CVE-2024-8525, a software update is available on the authorized dealer support site. Although a software update is available for this issue, the last support date for v7.0 was 1/27/2023 and it is recommended that customers upgrade their software to the latest supported version.
- For CVE-2024-8526, the vulnerability was fixed at version 8.0 for all impacted products.
- Additionally, Customers are encouraged to follow Automated Logic's [Security Best Practices Checklists for Building Automation Systems (BAS)](https://www.automatedlogic.com/en/media/Security Best Practices for a WebCTRL v8.0 system-522_tcm702-168128.pdf) to ensure alignment with best practices installation guidelines.

See Also

http://www.nessus.org/u?56a939f1

https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-01

Plugin Details

Severity: Critical

ID: 502854

Version: 1.2

Type: remote

Family: Tenable.ot

Published: 2/17/2025

Updated: 2/17/2025

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:automatedlogic:webctrl_server

Required KB Items: Tenable.ot/AutomatedLogicCorporation

Patch Publication Date: 11/21/2024

Vulnerability Publication Date: 11/21/2024

Reference Information

CVE: CVE-2024-8525

CWE: 434