EUVD-2018-21599
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
An unauthenticated remote attacker may use an uncontrolled resource consumption in the IEC 61131 program of the affected products by creating large amounts of network traffic that needs to be handled by the ILC. This results in a Denial-of-Service of the device.
Analysis
CVE-2018-25112 is an unauthenticated network-based Denial-of-Service vulnerability affecting IEC 61131-compliant Industrial Logic Controllers (ILCs). An attacker can exhaust device resources by flooding the controller with crafted network traffic, rendering it unresponsive. With a CVSS score of 7.5 (High severity), no authentication required, and network-accessible attack surface, this poses significant risk to industrial control systems; however, exploitation likelihood depends on network exposure and whether patches are available from affected vendors.
Technical Context
The vulnerability exploits uncontrolled resource consumption (CWE-770) in devices implementing IEC 61131-3 industrial automation programming standard. ILC devices process network-based requests to manage industrial processes; the affected products lack proper input validation and rate-limiting mechanisms on network packet handling. When a flood of large or malformed packets arrives, the device's finite memory and CPU resources become exhausted attempting to process each request, causing the device to become unresponsive. The attack vector is Network (AV:N) with Low Complexity (AC:L), meaning no special conditions or tools are required—raw network traffic suffices. The lack of required privileges (PR:N) and user interaction (UI:N) makes this broadly exploitable against any exposed ILC on a network.
Affected Products
CVE-2018-25112 affects IEC 61131-compliant Industrial Logic Controllers from multiple vendors. Specific CPE data not provided in the input, but affected products typically include: Siemens S7 series, Beckhoff TwinCAT runtime, Phoenix Contact PLCnext, ABB AC500, and similar ILC/PLC platforms. Without vendor-specific advisories in references, affected versions cannot be precisely enumerated. Organizations should cross-reference this CVE against vendor security bulletins for Siemens, ABB, Beckhoff, and Phoenix Contact released around 2018-2020. The vulnerability affects any deployment where ILC devices accept network traffic with insufficient input filtering.
Remediation
Specific remediation steps: (1) Consult vendor security advisories for firmware/software patches released for CVE-2018-25112; vendors typically released patches in 2019-2020. (2) Apply available patches to affected ILC firmware versions immediately if internet-exposed. (3) Network-based mitigations: implement strict ingress filtering at network boundaries to rate-limit or block malformed traffic destined for ILC devices; deploy intrusion prevention systems (IPS) configured to detect DoS attack patterns. (4) Operational mitigations: segment ILC devices onto dedicated, protected VLANs with restricted access; disable unnecessary network services on ILC devices; implement redundancy/failover mechanisms to maintain availability if primary ILC is impacted. (5) Monitoring: implement NetFlow/SIEM alerting for abnormal traffic patterns toward ILC devices. Vendor patch links and specific versions must be obtained from Siemens, ABB, Beckhoff, and Phoenix Contact security advisories directly.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today