A high-severity vulnerability has been identified in multiple products utilizing the Modbus protocol, allowing an unauthenticated remote attacker to cause a denial of service. By sending a specially crafted command, an attacker can crash the affected device, leading to operational downtime and service interruption without needing any credentials.

This vulnerability exists within the Modbus protocol stack of affected devices. An unauthenticated attacker on the network can send a specially crafted Modbus read command to a vulnerable device. The device fails to properly parse this malformed request, triggering an unhandled exception or buffer overflow that causes the Modbus service or the entire device to crash, resulting in a denial of service (DoS) condition. The device will remain unresponsive until it is manually restarted.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to significant business disruption, particularly in Operational Technology (OT) and Industrial Control System (ICS) environments where Modbus is prevalent. A successful attack could halt manufacturing processes, disable building automation systems, or disrupt critical infrastructure operations. The potential consequences include production loss, financial damages, and in certain scenarios, could create unsafe physical conditions if safety-critical systems are impacted.

Immediate Action: Apply vendor security updates immediately. Before deployment, test patches in a non-production environment to ensure compatibility and stability. Prioritize patching for internet-facing or critical systems. After patching, monitor for any signs of exploitation attempts and review device and network access logs for anomalous activity.

Proactive Monitoring: Implement robust monitoring of network traffic to and from affected devices. Use a Network Intrusion Detection System (NIDS) with signatures capable of detecting malformed Modbus packets. Monitor system logs for unexpected reboots, service crashes, or error messages related to the Modbus service. Establish baseline network behavior to more easily detect unusual spikes in Modbus read requests, especially from untrusted network segments.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Network Segmentation: Isolate control system networks from corporate and external networks using firewalls and VLANs.
• Access Control: Configure firewall rules to restrict Modbus traffic (TCP port 502) to only authorized devices and management stations.
• Intrusion Prevention System (IPS): Deploy an IPS with rules to block the specific malicious Modbus command signature if available.

Public Exploit Available: false

Organizations are strongly advised to prioritize the remediation of this high-severity vulnerability to prevent potential operational disruptions. The ability for an unauthenticated remote attacker to cause a denial of service in critical systems presents a significant risk. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for disruption in OT environments warrants immediate attention. Administrators should identify all affected assets and apply vendor patches as soon as possible. If patching is delayed, implement the recommended compensating controls, such as network segmentation and access restriction, to reduce the attack surface.