cbcvebase.
CVE-2017-7924
published 2017-09-20

CVE-2017-7924: An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD. A…

PriorityP263high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
22.18%
97.4th percentile
An Improper Input Validation issue was discovered in Rockwell Automation MicroLogix 1100 controllers 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD. A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition.

Detection & IOCsextracted from sources · hover to see the quote

port44818/TCP
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:established,to_server; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:2; metadata:created_at 2019_02_18, cve CVE_2017_7924, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2024_03_07, reviewed_at 2024_05_06;)
bytes
|4b 02 20 67 24 01|
bytes
|a2| ... |05 47|
  • Detect the crafted PCCC DoS packet on TCP port 44818 (EtherNet/IP) by matching the three-part byte sequence: |4b 02 20 67 24 01|, followed immediately by |a2|, then |05 47| within 2 bytes — all in an established inbound TCP flow.
  • A single specially crafted PCCC packet is sufficient to trigger the DoS; detection should fire on the first matching packet rather than requiring a session pattern.
  • Monitor and restrict inbound traffic on Port 2222/TCP and UDP and Port 44818/TCP and UDP at the perimeter; unexpected external sources reaching these ports targeting MicroLogix 1100 devices are high-confidence attack indicators.
  • The Metasploit auxiliary module auxiliary/dos/scada/allen_bradley_pccc implements this exploit; presence of this module's traffic pattern or its use in a pentest/red-team context should be flagged.
  • ·The Snort/ET rule targets TCP port 44818 only; the vulnerability also applies over UDP 44818 and TCP/UDP 2222 (EtherNet/IP / CIP), so the rule does not provide full coverage across all transport variants.
  • ·The ET rule is classified with 'confidence Medium', meaning the byte pattern may produce false positives in environments with high volumes of legitimate EtherNet/IP traffic; tune accordingly.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.