CVE-2024-57811
Published: 13 January 2025
Summary
CVE-2024-57811 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique SSH (T1021.004); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-22 (Unsupported System Components).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates hardcoded root passwords by requiring systematic management of authenticators, including prohibitions on defaults and unnecessary credentials.
Addresses risks from end-of-support firmware with unpatched hardcoded credentials by mandating inventory, criteria, and replacement or removal of unsupported components.
Enables management of privileged root accounts to disable unnecessary access or enforce credential changes where firmware permits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded root credentials directly enable SSH-based remote access (T1021.004/T1133) with valid accounts (T1078) for Unix shell command execution (T1059.004).
NVD Description
In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH. The root password is hardcoded in the firmware. NOTE: This vulnerability appears in versions that are…
more
no longer supported by Eaton.
Deeper analysisAI
CVE-2024-57811 is a use of hardcoded credentials vulnerability (CWE-798) affecting Eaton X303 firmware versions 3.5.16 through 3.5.17 Build 712 on XC-303 PLC devices. The issue stems from a hardcoded root password embedded in the firmware, enabling unauthorized root access via SSH. These versions are no longer supported by Eaton, leaving affected systems without vendor-backed updates.
An unauthenticated attacker with network access to the vulnerable XC-303 PLC can exploit this flaw with low complexity and no user interaction required (CVSSv3.1 base score of 9.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). Successful exploitation grants full root privileges over SSH, allowing the attacker to execute arbitrary commands, modify critical configurations, disrupt device operations, or potentially pivot to other networked industrial control systems.
The primary advisory is documented by Google Security Research at GHSA-xf7j-4x67-6h93. No patches are available, as the affected firmware versions are end-of-support; organizations should isolate exposed XC-303 PLCs from untrusted networks, monitor SSH traffic for suspicious logins, and consider decommissioning or replacing unsupported devices.
Details
- CWE(s)