cbcvebase.
CVE-2023-7244
published 2024-03-01

CVE-2023-7244: Industrial Control Systems Network Protocol Parsers (ICSNPP) - Ethercat Zeek Plugin versions d78dda6 and prior are vulnerable to out-of-bounds write in their…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.82%
52.6th percentile
Industrial Control Systems Network Protocol Parsers (ICSNPP) - Ethercat Zeek Plugin versions d78dda6 and prior are vulnerable to out-of-bounds write in their primary analyses function for Ethercat communication packets. This could allow an attacker to cause arbitrary code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
cisaicsnpp-ethercat<= d78dda6
cisaindustrial_control_systems_network_protocol_parsers_ethercat_plugin_for_zeek<= d78dda6

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: out-of-bounds write occurs in the primary analyses function when processing Ethercat communication packets — monitor Zeek process for crashes or memory corruption when handling Ethercat traffic
  • Vulnerable version anchor: ICSNPP Ethercat Zeek Plugin at commit d78dda6 or prior is exploitable; flag or alert on deployments running this commit
  • Safe version anchor: update to commit 3bca34c or later to remediate; use this as a detection baseline for unpatched systems
  • Attack vector is fully remote with no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N); any network-accessible Zeek sensor parsing Ethercat traffic is exposed — monitor for anomalous Ethercat packets reaching Zeek sensors
  • ·No known public exploitation has been reported at time of advisory publication; threat is theoretical but critical (CVSS 9.8)
  • ·The vulnerability is in the Zeek plugin layer, not in Ethercat devices themselves — exploitation requires the attacker to be able to send crafted Ethercat packets to a network segment monitored by a vulnerable Zeek sensor
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.