CVE-2024-50954
Published: 15 January 2025
Summary
CVE-2024-50954 is a high-severity Improper Check or Handling of Exceptional Conditions (CWE-703) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Boundary protection devices filter or block unauthorized Modbus TCP traffic (port 502) to the PLC, preventing unauthenticated attackers from sending crash-inducing messages.
Denial-of-service protections such as rate limiting TCP connections and Modbus request throttling limit the impact of crafted messages that cause PLC crashes.
Proper error handling ensures the PLC does not enter an unsafe crash state when processing exceptional conditions in malformed Modbus messages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of exception handling flaw in Modbus protocol processing to crash PLC (application/system DoS).
NVD Description
The XINJE XL5E-16T and XD5E-24R-E programmable logic controllers V3.5.3b-V3.7.2a have a vulnerability in handling Modbus messages. When a TCP connection is established with the above series of controllers within a local area network (LAN), sending a specific Modbus message to…
more
the controller can cause the PLC to crash, interrupting the normal operation of the programs running in the PLC. This results in the ERR indicator light turning on and the RUN indicator light turning off.
Deeper analysisAI
CVE-2024-50954 is a vulnerability in the Modbus message handling of XINJE XL5E-16T and XD5E-24R-E programmable logic controllers (PLCs) running firmware versions V3.5.3b through V3.7.2a. When a TCP connection is established with these controllers over a local area network (LAN), sending a specific Modbus message triggers an improper check or handling of exceptional conditions (CWE-703), causing the PLC to crash. This interrupts normal program operation, activates the ERR indicator light, and deactivates the RUN indicator light. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access to the affected PLC can exploit this issue by establishing a TCP connection and transmitting the crafted Modbus message. Exploitation requires low complexity and no privileges, enabling remote denial-of-service (DoS) attacks that halt PLC functionality and disrupt connected industrial processes.
Further technical details, including reproduction steps for the vulnerability, are documented in the advisory at https://github.com/Curator-Kim/Vulnerability-mining/blob/master/XINJE%20XL5E-16T%20XD5E-24R%20Modbus/XINJE%20XL5E-16T%20XD5E-24R%20Modbus.md. No patch or mitigation guidance is specified in available sources.
Details
- CWE(s)