CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Critical Vulnerabilities Expose Pepperl+Fuchs Industrial Switches to Attacks

Researchers discovered several potentially serious vulnerabilities in Pepperl+Fuchs Comtrol’s RocketLinx industrial switches, including ones that can be exploited to take complete control of devices.

Researchers discovered several potentially serious vulnerabilities in Pepperl+Fuchs Comtrol’s RocketLinx industrial switches, including ones that can be exploited to take complete control of devices.

The flaws were disclosed this week by SEC Consult, the Austria-based cybersecurity consultancy whose researchers found the issues. The German industrial automation solutions provider also published advisories this week to inform customers about patches and workarounds.

Critical vulnerabilities found in Pepperl+Fuchs RocketLinx industrial switches

A total of five types of vulnerabilities were discovered, and Pepperl+Fuchs says they can be exploited to gain access to impacted switches, execute commands, and obtain information.

The flaws have been assigned the CVE identifiers CVE-2020-12500 through CVE-2020-12504. Three of them are considered critical and two have been rated high severity.

SEC Consult told SecurityWeek that exploitation of the vulnerabilities requires network access to the targeted switch — no permissions are needed on the device itself. Some of the vulnerabilities, either chained or on their own, can allow an attacker to take complete control of a targeted industrial switch.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Advertisement. Scroll to continue reading.

One of the critical flaws allows an unauthenticated attacker to make changes to the device’s configuration, including to modify network settings, upload configuration files, and upload firmware and bootloader files. The vulnerability can also be exploited to cause a device to enter a DoS condition that can only be fixed by pressing the reset button on the switch and reconfiguring it.

Another critical vulnerability is related to the existence of multiple backdoor accounts, but the vendor says some of them are read-only.

The third critical issue is related to the TFTP service, which is used for uploading and downloading firmware, bootloader and configuration files.

“This TFTP server can be abused to read all files from the system as the daemon runs as root which results in a password hash exposure via the file /etc/passwd. Write access is restricted to certain files (configuration, certificates, boot loader, firmware upgrade) though,” SEC Consult explained in its advisory. “By uploading malicious Quagga config-files an attacker can modify e.g. IP-settings of the device. Malicious firmware and bootloader uploads are possible too.

All of the security holes impact several RocketLinx ES switches, and three of them only affect some ICRL switches.”

Researchers also identified multiple command injection vulnerabilities, and while their exploitation requires authentication, the lack of cross-site request forgery (CSRF) protections makes it possible for an attacker to conduct activities on behalf of an authenticated user by convincing them to click on a malicious link.

SEC Consult pointed out that the vulnerabilities are actually in firmware provided to Pepperl+Fuchs by a third party, which has not been named by SEC Consult. The vulnerabilities were reported by SEC Consult through Germany’s CERT@VDE in April, and while Pepperl+Fuchs addressed them, it seemed until recently that the OEM would not take any action. However, SEC Consult told SecurityWeek that it finally received a response from the company shortly after making its advisory public.

SEC Consult typically publishes proof-of-concept (PoC) code in its advisories, but this time it refrained from doing so due to the lack of patches from the OEM.

Related: Pepperl+Fuchs HMIs Vulnerable to Meltdown, Spectre Attacks

Related: ICS Vendors Release Advisories for CodeMeter Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.