CVE-2025-0960
Published: 04 February 2025
Description
AutomationDirect C-more EA9 HMI contains a function with bounds checks that can be skipped, which could result in an attacker abusing the function to cause a denial-of-service condition or achieving remote code execution on the affected device.
Security Summary
CVE-2025-0960, published on 2025-02-04, affects the AutomationDirect C-more EA9 HMI. The vulnerability stems from a function that contains bounds checks which can be skipped, as classified under CWE-120 (Buffer Copy without Checking Size of Input). This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation could enable the attacker to abuse the function, resulting in a denial-of-service condition or remote code execution on the affected HMI device, compromising confidentiality, integrity, and availability.
Mitigation guidance is available in vendor and government advisories, including AutomationDirect's security advisory at https://community.automationdirect.com/s/cybersecurity/security-advisories and CISA's ICSA-25-035-08 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-035-08.
Details
- CWE(s)