CVE-2024-57790 - Hardcoded Root Credentials in IXON B.V. IXrouter IX240 v3. Exposes Critical Industrial Systems

Date: June 2024
Vulnerability ID: CVE-2024-57790
Product Affected: IXON B.V. IXrouter IX240 (Industrial Edge Gateway) v3.
Components: Physical device, non-volatile flash memory
Attack Vector: UART access or SSH
Severity: Critical

Introduction

The security of industrial IoT equipment remains a growing concern as more devices connect to remote monitoring or management. In June 2024, researchers disclosed CVE-2024-57790, a severe vulnerability affecting IXON B.V.'s IXrouter IX240 v3.. This bug makes it possible for a local attacker to easily gain root access using hardcoded credentials stored directly in the hardware’s memory. The impact reaches far: once inside, an attacker gains full control over your industrial edge gateway.

This writeup explains the root cause, practical exploit steps—including code snippets—and how to protect your devices.

What is the IXrouter IX240?

The IXrouter IX240 is an industrial-grade edge gateway widely used in factories and plants for securely connecting industrial networks (like PLCs and HMIs) to the cloud. Its purpose is to bridge operational technology (OT) and IT securely. Its critical location at the edge makes any compromise especially dangerous.

Technical Details

- Issue: The firmware for IXrouter IX240 v3. contains a root user password baked into non-volatile flash memory.
- Where: Typically found in /etc/shadow or /etc/passwd files within the root filesystem, but actually hardcoded into the device’s flash storage.
- How It’s Accessed: Via physical interfaces—most commonly UART (serial console) or network-based protocols like SSH, if enabled.

Attack Scenario

An attacker with physical access to the gateway (on-site at a factory or plant, or during shipment) connects to the device’s UART port (standard on many industrial gateways). There, they can boot into a shell or recovery mode, or dump the flash memory to extract stored credentials.

Alternatively, on some setups, if SSH is enabled and external, the same hardcoded password can be used remotely.

The attacker opens the IXrouter and finds the UART header on the PCB (printed circuit board)

- Tools Required: USB-to-UART adapter (like FTDI cable), jumper wires, laptop with serial terminal program (e.g., PuTTY, minicom).

Connection Diagram

| USB-to-UART | IXrouter PCB Pin |
|------------------|-----------------------------|
| GND | GND |
| TX | RX |
| RX | TX |
| (3.3V/5V as needed) | VCC (if necessary) |

Step 2: Serial Console Access

- Connect using a terminal emulator (set baud rate, stop bits, etc. — refer to device manual; often 115200 8N1).

# Example using minicom (on Linux)
sudo minicom -D /dev/ttyUSB -b 115200

Power the device and watch for the boot process.

- Interrupt the bootloader (often by pressing a key), then boot into Linux single-user mode or normal boot.

Watch for login prompt

IXrouter login: root
Password: ixrouterRootPwd123   # (example placeholder)

> Note: The real password is usually recoverable from the firmware image or public disclosures. For this CVE, let's use the example ixrouterRootPwd123, as redacted in advisories.

If SSH is enabled and reachable

ssh root@192.168.1.1
Password: ixrouterRootPwd123

Sample Code Snippet: Parsing the Flash Image

If you have dumped the flash memory, you can use Python to search for the hardcoded password in the image:

# flash_dump_analyzer.py
with open('ixrouter_flash.img', 'rb') as f:
    data = f.read()

# Example: Look for ASCII root password string in the dump
import re
matches = re.findall(b'ixrouterRootPwd123', data)
print(f'Found {len(matches)} instance(s) of the root password in flash image.')

References

- Official CVE Entry – CVE-2024-57790
- IXON IXrouter Product Page
- Shodan Search for IXrouter
- UART Security Primer – No Starch Press

Manufacturers/Operators Should

- Update firmware as soon as patches are available (check here).

Conclusion

CVE-2024-57790 is a textbook case of why hardcoded credentials are dangerous, particularly in hardware meant to protect industrial environments. If an attacker can access your IXrouter's UART, or if remote access is available, they can take over your industrial process’s “edge.” Industrial operators should act fast—patch, lock down physical access, and monitor for strange activity.

Stay safe, and always change those passwords!

*This post is exclusive content summarizing how CVE-2024-57790 can be practically exploited, using plain language for maximum clarity. For official updates and patches, always follow up with IXON directly and monitor the CVE database.*

Timeline

Published on: 02/14/2025 17:15:18 UTC
Last modified on: 03/17/2025 19:15:24 UTC