Latest Rockwell Automation vulnerability

Rockwell Automation has disclosed a vulnerability in their GuardLogix and Compact GuardLogix products.

CVE-2025-24478 is rated high, with a CVSS score of 7.1. Successful exploitation of this vulnerability would allow attackers to create an unrecoverable denial-of-service condition, requiring power cycling of the device to restore function. This vulnerability is exploitable over the network and without authentication.

The following devices are affected by this vulnerability:

• GuardLogix 5580 (SIL 3 with the safety partner 3): Versions prior to V33.017, V34.014, V35.013, V36.011
• Compact GuardLogix 5380 SIL 3: Versions prior to V33.017, V34.014, V35.013, V36.011

Are updates or workarounds available?

Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially vulnerable systems:

hw:"Rockwell Automation%Logix%5_80"

October 2024: FactoryTalk ThinManager

Rockwell Automation has disclosed multiple vulnerabilities in their FactoryTalk ThinManager product.

CVE-2024-10386 is rated critical, with a CVSS v4 score of 9.3 and allows attackers with network access to send specially crafted packets that result in database manipulation.

CVE-2024-10387 is rated high, with CVSS v4 score of 8.7 and allows attackers with network access to send specially crafted packets to the device potentially triggering a denial-of-service.

The following versions are currently affected by these vulnerabilities:

• ThinManager: Versions 11.2.0 to 11.2.9
• ThinManager: Versions 12.0.0 to 12.0.7
• ThinManager: Versions 12.1.0 to 12.1.8
• ThinManager: Versions 13.0.0 to 13.0.5
• ThinManager: Versions 13.1.0 to 13.1.3
• ThinManager: Versions 13.2.0 to 13.2.2
• ThinManager: Version 14.0.0

Are updates or workarounds available?

Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible. In addition, users are advised to limit communications to TCP 2031 to only the devices that need connection to the ThinManager.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND tcp:2031

September 2024: ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix

Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

CVE-2024-6077 is rated high, with a CVSS v4 score of 8.7.

Are updates or workarounds available?

Rockwell Automation has released patches and guidance for affected systems. Users are advised to upgrade as quickly as possible. Users may also disable CIP security on these devices to mitigate the issue.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")

August 2024: ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix

Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

CVE-2024-40619 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed CIP packet which causes a device to crash and require a manual restart.

Are updates or workarounds available?

Rockwell Automation suggests updating devices to the corrected firmware revision.

• CVE-2024-7515 is rated high with CVSS score of 8.6 and indicates a denial-of-service scenario due to a malformed PTP management packet which causes a device to crash and require a manual restart.
• CVE-2024-7507 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed PCCC packet which causes a device to crash and require a manual restart.

Rockwell Automation suggests updating devices to the corrected firmware revision. Additionally, they recommend restricting communication to CIP object 103 (0x67).

In all of the cases above users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")

August 2024: ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules

On August 1st, 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules products.

CVE-2024-6242 is rated high with CVSS score of 7.3 and allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller.

Successful exploitation of these vulnerabilities on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.

Are updates or workarounds available?

Rockwell Automation recommends upgrade devices to apply fixes for the affected devices.

Additionally, limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.

How runZero users found potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"1756-EN2" OR hw:"1756-EN3" OR hw:"1756-EN4"

April 2024: ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR

In April 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.

CVE-2024-3493 was rated high with CVSS score of 8.6 and involved a specific malformed fragmented packet type which could cause a major nonrecoverable fault (MNRF) in Rockwell Automation’s ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product would become unavailable and require a manual restart to recover it.

What was the impact?

Successful exploitation of these vulnerabilities resulted in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Rockwell Automation provided software updates for the impacted versions.

How runZero users found potentially vulnerable systems

From the Asset Inventory, runZero users could use the following query to locate systems running potentially vulnerable software:

hw:"1756-EN4TR"

March 2024: Rockwell Automation PowerFlex 527

In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.

CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.

CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.

What was the impact?

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Are updates or workarounds available?

Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.

Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How to find potentially vulnerable PowerFlex products

From the Asset Inventory, runZero users used the following query to locate systems running potentially vulnerable software:

hw.product:"powerflex"

Multiple vulnerabilities (February  2025)

Siemens disclosed multiple vulnerabilities in various product lines:

• SSA-111547 – cleartext storage of sensitive information in SIPROTEC 5 (CVSS score 5.1)
• SSA-195895 – user enumeration vulnerability in the web server of SIMATIC Products (CVSS score 6.9)
• SSA-224824 – denial of service vulnerabilities in SIMATIC S7-1200 CPU Family before V4.7 (CVSS score 8.7)
• SSA-246355 – multiple vulnerabilities in Tableau Server Component of Opcenter Intelligence before V2501 (CVSS score 10.0)
• SSA-342348 – insufficient session expiration vulnerability in Siemens SIMATIC PCS neo, TIA Administrator, and TIA Portal (CVSS score 8.7)
• SSA-687955 – accessible development shell via physical interface in SIPROTEC 5 (CVSS score 7.0)
• SSA-698820 – multiple vulnerabilities in FortiGate NGFW before V7.4.4 on RUGGEDCOM APE1808 devices (CVSS score 9.0)
• SSA-767615 – information disclosure via SNMP in SIPROTEC 5 devices (CVSS score 8.7)
• SSA-769027 – multiple vulnerabilities in SCALANCE W700 IEEE 802.11ax devices before V3.0.0 (CVSS score 8.6)
• SSA-770770 – multiple vulnerabilities in FortiGate NGFW before V7.4.5 on RUGGEDCOM APE1808 devices (CVSS score 7.5)

What is the impact?

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.

Are updates or workarounds available?

For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens’ website for more information about their operational guideline recommendation.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SIMATIC" OR hw:"RUGGEDCOM" OR hw:"SCALANCE"

Ten vulnerabilities disclosed in Siemens products (December 2024)

Siemens disclosed ten vulnerabilities in a variety of Siemens products, including their RUGGEDCOM, SENTRON, and other product lines. These vulnerabilities have CVSS scores that range from 5.1 (moderate) to 8.6 (high).

The disclosed vulnerabilities range in severity. For the most the critical vulnerabilities, unauthenticated remote attackers could perform unauthorized administrative actions if they are able to get a local user to click on a malicious link. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information.

Siemens has released updated patches for these vulnerabilities.  Siemens also recommends that all systems be kept behind firewalls and have unnecessary services disabled.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

Multiple vulnerabilities (November 2024)

Siemens disclosed multiple vulnerabilities in various product lines:

• SSA-354112 – multiple vulnerabilities in SCALANCE M-800 Family devices (CVSS score 8.6)
• SSA-654798 – unauthenticated remote access to the filesystem in SIMATIC CP devices (CVSS score 8.7)
• SSA-454789 – deserialization of untrusted data in TeleControl Server (CVSS score 10.0)

What is the impact?

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.

Are updates or workarounds available?

For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens’ website for more information about their operational guideline recommendation.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SCALANCE S615" OR hw:"SIMATIC CP" OR (os:"Windows" AND tcp_port:26865)

35 vulnerabilities (September 2024)

Siemens disclosed 35 vulnerabilities in a variety of Siemens products, including their LOGO!, SIMATIC, SINEMA, and other product lines. These vulnerabilities have CVSS scores that range from 4.3 (moderate) to 10 (extremely critical).

The most critical vulnerabilities disclosed include:

• SSA-955858 – multiple vulnerabilities in LOGO! 8 BM devices (CVSS score 9.8)
  
• SSA-832273 – multiple vulnerabilities in RUGGEDOM devices (CVSS score 9.8)
• SSA-721642 – multiple vulnerabilities in SCALANCE devices (CVSS score 9.1)
• SSA-673996 – multiple vulnerabilities in SICAM and SITIPE devices (CVSS score 8.2)
• SSA-629254 – remote code execution vulnerability in SIMATIC SCADA and PCS 7 systems (CVSS score 9.1)
• SSA-455250 – multiple vulnerabilities in RUGGEDCOM devices (CVSS score 9.8)
• SSA-039007 – heap-based buffer overflow in the Siemens User Management Console component (CVSS score 9.8)

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information.

For most of the disclosed vulnerabilities, Siemens has released updates or patches. However, some vulnerabilities mentioned above, including some critical vulnerabilities, do not have patches released and it is unclear when such updates would be available. Siemens recommends that all systems be kept behind firewalls and have unnecessary services disabled.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

SCALANCE and RUGGEDCOM products (August 2024)

Siemens disclosed multiple vulnerabilities for a variety of products and devices, including the SCALANCE and RUGGEDCOM product lines.

• CVE-2024-41976 is rated high, with a CVSS score of 7.2, and allows an attacker to issue invalid VPN configuration data causing an authenticated attacker to execute arbitrary code.
• CVE-2024-41977 is rated high, with a CVSS score of 7.1, and allows an attacker to escalate their privileges due to devices not properly enforcing user session isolation.
• CVE-2024-41978 is rated high, with a CVSS score of 6.5, and allows an authenticated attacker to forge 2FA tokens of other users due to devices storing sensitive 2FA information in log files on disk.
• CVE-2024-44321 is rated medium, with a CVSS score of 2.7, and allows an attacker to issue large input data causing an unauthenticated denial-of-service.

Successful exploitation of this vulnerability would allow an authenticated attacker to remotely execute code, escalate their privileges, or forge other users credentials. The first three do require attacks be authenticated initially to exploit these vulnerabilities.

The last vulnerability is on the lower score, but would still require the device be restarted if the denial-of-service condition was triggered.

Siemens recommends upgrading all affected devices to firmware V8.1 or later. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted network traffic to the device.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"RUGGEDCOM" OR hw:"SCALANCE" OR hw:"LOGO"

CVE-2024-35292 – SIMATIC S7-200 SMART Devices (July 2024)

In July 2024, Siemens disclosed a vulnerability in their SIMATIC S7-200 SMART Devices.

CVE-2024-35292 is rated high, with a CVSS score of 8.2, and allowed attackers to predict IP ID sequence numbers as their base method of attack and eventually could allow an attacker to create a denial-of-service condition.

Successful exploitation of this vulnerability would allow an attacker to issue a denial-of-service condition.

The only workaround was to restrict access to the network where the affected products were located by introducing strict access control mechanisms.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:SIMATIC

SENTRON, SCALANCE, and RUGGEDCOM vulnerabilities (March 2024)

In March, 2024, Siemens released security advisories for a variety of products and devices, including the SENTRON, SCALANCE, and RUGGEDCOM product lines.

Several of the vulnerabilities had CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).

For the full list of vulnerabilities, you can consult Siemens ProductCERT.

Several of these vulnerabilities allowed for unauthenticated remote code execution, allowing for compromise of the vulnerable systems. Other vulnerabilities could lead to privilege escalation, information disclosure, or denial of service. Users were urged to upgrade as quickly as possible.

Siemens released updates via a variety of channels. See Siemens ProductCERT for details.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate Siemens assets that were potentially vulnerable:

hardware:Siemens OR hardware:RuggedCom

In this article, we walk through common scenarios that attribution-based attack surface management tools miss and demonstrate how you can use runZero’s new Inside-Out Attack Surface Management (IOASM) capabilities to close these gaps. IOASM helps you defend against opportunistic attacks by leveraging precise device fingerprinting to uncover exposures that are impossible to find through attribution alone.

The attribution challenge

Attackers are continuously scanning and prodding internet-facing systems, looking for easy wins. Although many campaigns start by knocking on your front door — testing assets clearly associated with your domain and IP space — attackers are just as likely to stumble upon an exposed system, compromise it, and only later realize it belongs to you. Opportunistic attacks drive an entire sub-category of the cyber-crime economy: initial access brokers. These criminal groups gain a foothold into your organization and then sell that access to other groups that steal data and attempt to extort money.

External attack surface management (EASM) tools (including runZero!) can reduce your risk by quickly flagging exposures before they can be exploited. You provide these tools with a list of domain names, IP addresses, autonomous system numbers (ASNs), and other identifiers, and the EASM attribution process will iterate on these “seeds” to identify internet-exposed assets. This process works great for well-known organizational resources, but often misses exposures where attribution is impossible using IP addresses and domain names alone.

Flipping the script with Inside-Out Attack Surface Management

This is where Inside-Out Attack Surface Management (IOASM) changes the game. While attribution-based EASM tools often struggle to identify exposures beyond their predefined “seeds,” IOASM flips the script by leveraging detailed knowledge of your internal assets to quickly and accurately identify external exposures, no matter where they are.

Instead of starting with known IPs or domains, the runZero Platform builds device fingerprints from attributes it gathers through external and internal active and passive discovery, as well as integrations with systems like cloud provider APIs and vulnerability scanners. This fingerprinting process captures details such as TLS certificates, SSH host keys, and SNMP metadata, in addition to other system-specific attributes, which tend to remain consistent even when a device changes IP addresses, network segments, or is redeployed from an image. By beginning with an internal baseline of these fingerprints, runZero can pinpoint each device’s unique identity deep within the environment, and then correlate those same devices against information collected externally.

If an asset that was once detected in an isolated subnet suddenly appears on the internet — or if a device spins up in a public cloud and shares the same cryptographic fingerprint as one on-prem — runZero recognizes that it’s the same underlying system. This is why inside-out discovery is so effective: rather than relying on traditional attribution methods like IP ranges or domain registries, runZero focuses on inherent device characteristics.

Once a device’s fingerprint is known, any reappearance gets flagged — be it behind corporate firewalls or exposed on a public IP. This allows security teams to see connections and gaps that external-only scans would miss. Through this inside-out lens, organizations can uncover at-risk assets faster and more accurately, significantly reducing blind spots that attackers often exploit.

To demonstrate, the scenarios outlined below highlight why attribution-based external attack surface management tools struggle with certain types of exposures and how IOASM can help you find the blind spots.

Common scenarios missed by attribution-based EASM

1. The Legacy VPN

A global manufacturer migrated from per-site VPN gateways to zero-trust network access (ZTNA) using endpoint agents. After the migration was complete, the per-site VPN gateways were decommissioned. Unfortunately, the VPN gateway at a small branch office was never turned off. Months later, this gateway was compromised through a zero-day vulnerability in the SSL VPN function, allowing attackers to gain access to the corporate network. Worse, cached credentials dumped from the compromised gateway enabled further ingress into the network.

Why was this missed?

After migrating to ZTNA, the DNS records for the VPN gateways were removed. For small offices, the VPN gateways were connected through business broadband connections, and those IPs were not recorded in the organization’s inventory or part of their EASM configuration.

How did runZero help?

A comprehensive internal discovery scan identified the legacy VPN gateway, leveraging runZero’s advanced device fingerprinting to ensure no assets were overlooked. The runZero Platform’s ability to perform regular, automated scans ensures that similar devices are identified promptly, even if they are misconfigured or hidden in unexpected network segments. Once the gateway was flagged, an alert was configured to notify the security team if any similar devices appeared on the network in the future.

2. The Mobile Broadband Leak

A large financial organization issued laptops to their senior staff, each equipped with built-in mobile broadband cards (cellular modems). The intent was to ensure their team could stay connected even during transit, without relying on public WiFi. These Windows laptops were continuously connected to the mobile network and roamed between cellular providers, even while simultaneously connected to the corporate network through WiFi and wired Ethernet. Depending on which cellular provider was in use, these laptops would sometimes receive public IPv4 and IPv6 addresses, yet the firewall was not configured to block inbound connections. As a result, some portion of the senior staff’s laptops were directly exposed to the internet on semi-random IP addresses. This, in turn, exposed the Remote Desktop and the SMB (CIFS) services to internet attacks. Fortunately, one of these systems was identified in the public Shodan search portal based on the organization’s unique Active Directory domain, and the issue was resolved by deploying a group policy for Windows Firewall that always treated the mobile broadband connection as a public network.

Why was this missed?

Mobile broadband connections can vary dramatically by provider and location. Some providers place customers into private IP space, while others assign public IPs. In some cases private IPv4 addresses are assigned in addition to public IPv6 addresses. Attribution-based exposure management tools struggle to find these connections.

How did runZero help?

An internal scan identified the public IP addresses of these Windows laptops using a combination of unauthenticated NetBIOS (UDP) and DCEPRC (Oxid2Resolver), leveraging runZero’s advanced asset fingerprinting capabilities to detect and categorize devices accurately. The runZero Platform’s ability to conduct both internal and external scans ensured that no public IP addresses associated with these devices were overlooked, even as they roamed between cellular providers. A direct scan of these public IPs confirmed that the mobile broadband connections were exposing these machines directly to the internet, including the Remote Desktop and SMB services.

Additionally, runZero’s automated inventory and exposure tracking ensured that any newly exposed IP addresses were promptly identified. An alert rule was configured to notify the security team whenever a Windows machine on the internal network was detected with a public IP address, enabling real-time monitoring of at-risk devices. This proactive visibility not only mitigated the immediate risk but also provided actionable insights for implementing policies to prevent future exposures, such as refining firewall rules and deploying group policies for Windows Firewall.

3. The “Smart” IP Camera

A national construction firm needed to install a camera in the lobby of their headquarters. They chose an IP camera made by Hikvision, one of the most prolific manufacturers and a type of device that is commonly sold under different brand names. This camera was “smart”; it could detect people and faces and send an alert when particular behavior was observed, such as someone loitering in the lobby after hours. Unfortunately, this camera was too smart; the default configuration caused it to open a hole in the firewall using the UPnP protocol and automatically port-forward several services from the internet to the camera. These services included the video service (RTSP), the web server used for device administration, and a few proprietary Hikvision services.

Shortly after installation, the camera was compromised using an off-the-shelf exploit that enabled remote, unauthenticated command execution through the web service. The attacker gained complete access to the camera and leveraged the Linux operating system shell to explore the company’s internal network. The UPnP-enabled network gateway was an issue on its own, but the automatic port forwarding behavior of the camera escalated the situation into a full-blown crisis.

Why was it missed?

This is an example where EASM can help, but only if the issue was identified and mitigated quickly. EASM tools can be noisy, and investigating the results of new exposures can often take days or weeks to track down the appropriate owner.

How did runZero help?

An internal network scan combined with IOASM capabilities immediately flagged this system as being externally exposed and accurately matched the internal asset to its corresponding external exposure. runZero’s advanced fingerprinting techniques ensured that the match was precise, even for devices with dynamic configurations or those hidden behind network complexities. By leveraging a combination of passive and active discovery, the platform provided comprehensive visibility into both internal and external networks.

Once the exposure was identified, an alert rule was created to notify the security team of similar vulnerabilities in the future. Additionally, runZero’s integration capabilities allowed the organization to correlate this exposure with existing threat intelligence feeds, enabling the team to assess whether the exposed device had been targeted or exploited. This integration also streamlined remediation efforts by generating actionable insights, such as misconfiguration details and recommended mitigation steps.

4. The Developer Tunnel

A global retailer was developing a new version of their online storefront. This work was being coordinated across multiple groups worldwide, including several external contractors. A standard test environment was configured in the cloud, but deployments were taking too long. As a result, the development team began using “tunnel” software, such as Cloudflare Tunnel and ngrok.io, to share their work-in-progress from their developer machines with the wider group.

An attacker stumbled over one of these tunnels and identified a development console in the application that exposed all environment variables. These environment variables contained a wide range of credentials, including access keys to the production cloud account. Fortunately, rather than backdooring the application or stealing data, the attacker instead launched mining bots for cryptocurrency. The organization noticed the resulting cost spike, traced the leaked credential to the developer workstation, and implemented a policy prohibiting the use of tunnels going forward.

Why was it missed?

The internet-side of the tunnel can pop out almost anywhere, including common providers like Cloudflare and ngrok, as well as on virtual machines hosted by cloud providers like Digital Ocean and Linode. These endpoints have no known relationship to the organization’s domain or registered IP ranges, making them difficult to detect with attribution-based tools.

How did runZero help?

This is another example of how IOASM was able to match the internal fingerprint of the web server to an externally exposed service on a tunnel provider. By leveraging advanced fingerprinting, runZero ensured the match was precise, even for services hosted in dynamic or ephemeral environments like those created by tunnel software. This capability provided visibility into hidden or misconfigured exposures that traditional attribution-based methods would likely miss.

After identifying the exposure, an alert rule was configured to notify the security team of any similar issues in the future. Additionally, runZero’s ability to integrate with SIEMs and other security tools allowed the team to automate follow-up actions, such as blocking traffic to unapproved tunnel providers or initiating incident response workflows. The runZero Platform’s continuous monitoring ensures that new tunnels or services appearing in the environment are flagged immediately, reducing detection and response times.

Minimal noise and no real false positives

An important point to note is that IOASM uses detailed fingerprints and a set of layered heuristics to determine if a match between an internal and external asset represents an exposure. This process isn’t perfect, but even in cases where a match doesn’t indicate a true exposure, it still highlights a risk. For example, if the same TLS certificate is found on an internal storage device and also observed on the internet, it could either mean this is the same device or that the device is using a hardcoded TLS key. runZero’s heuristics automatically report duplicated and widely shared keys.

In addition to reporting shared keys, runZero also assigns varying severity levels based on the confidence of the match. For instance, if an internal web server is using a TLS certificate observed on the internet, and that certificate is signed by a valid authority, this is likely either the internal side of an internet-facing web server cluster or a case where the public TLS certificate is also used on internal systems. runZero will report this as a low-risk exposure. Conversely, if the match involves a Remote Desktop service or a SSH host key that is not widely shared, this is almost certainly a critical issue requiring immediate action, and the exposure is reported as high risk.

From theoretical to operational

While it’s easy for us to describe how runZero can detect these threats, it’s even better to show you how to do it in your own instance. The good news is that Inside-Out exposure detection is enabled by default for all runZero customers.

To get started, navigate to the Inventory -> Vulnerabilities section and search for the word “Exposure”. Any internal assets that runZero was able to identify externally, regardless of IP address or location, will be flagged with a vulnerability record based on the type of exposure.

The three exposure detection methods available today are:

• TLS Certificate
• SSH Hostkey
• MAC Address

Here’s an example of an exposure that was identified by matching a TLS public key:

Clicking on the name of the vulnerability will open the details page. This page also provides a list of the public endpoints where this internal system was observed: