German Cybersecurity Specialist Appointed as Primary Distributor for runZero to Drive Expansion in the DACH-Region #
London, United Kingdom – July 24, 2025 – runZero, a leader in exposure management, today announced a strategic partnership with Aqaio, a German value-added distributor specializing in advanced IT security solutions. As runZero’s primary channel partner in Germany, Aqaio will spearhead regional growth efforts by delivering runZero’s expanded exposure management platform to organizations navigating today’s increasingly complex cyber threat landscape.
This alliance represents a significant milestone in runZero’s wider EMEA growth strategy. Leveraging Aqaio’s deep market expertise and established channel network, runZero can now accelerate its European expansion while offering localized support tailored to the specific needs of German organizations.
Partnership highlights include:
Localized Expertise: Aqaio brings in-depth knowledge of the German cybersecurity market, enabling specialized customer engagement and faster time-to-value.
Expanded Channel Reach: A top-tier network of resellers and systems integrators gain access to runZero’s powerful exposure management platform, enabling them to offer comprehensive proactive cyber defense to their end customers.
Streamlined Distribution and Support: Aqaio will facilitate seamless implementation via dedicated consulting, logistics, and certified training services for partners and end users.
“This partnership with runZero is a strategic win for our channel ecosystem,” said Richard Hellmeier, CEO at Aqaio. “They are no longer selling just another product — they’re delivering a vital capability. runZero’s technology is fast to deploy, easy to integrate, and solves a foundational security challenge. It aligns perfectly with our mission to deliver holistic and forward-looking solutions to the market.”
“In today’s rapidly shifting threat landscape, partnerships like this are essential to delivering resilient, scalable cybersecurity,” said Joe Taborek, Chief Revenue Officer at runZero. “Aqaio’s proven expertise and reach across the German market empower us to extend access to the runZero Platform and strengthen cyber readiness from the ground up. Together, we’re helping build a safer, smarter digital future.”
About Aqaio
Aqaio partners with resellers, system integrators, and OEMs. We focus on new technological developments, which we supplement and expand with complementary solutions from market and technology leaders in the IT security field. We also provide 2nd level support and training for our partners and their end-customers. The product portfolio consists of high-end IT products that complement each other and can be combined to create integrated solutions. Additionally, Aqaio offers services such as consulting, marketing support, logistics, training, and technical support. For more information, visit: https://aqaio.com/
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Selected by CISOs and leading investors, the list recognizes the 30 startups shaping the future of security.
Austin, Texas — June 4, 2025 — runZero, the leader in total attack surface management, today announced its inclusion in Rising in Cyber 2025, an independent list launched by Notable Capital to spotlight the 30 most promising cybersecurity startups shaping the future of security.
Unlike traditional rankings, Rising in Cyber 2025 honorees were selected through a multi-stage process grounded in real-world validation. Leading cybersecurity venture firms submitted nominations, and nearly 150 Chief Information Security Officers (CISOs) and senior security executives voted on the final list, highlighting the companies solving the most urgent challenges facing today’s security teams.
runZero was selected for its innovative approach to exposure management and attack surface discovery, helping security teams navigate today’s complex threat landscape. Unlike traditional vulnerability management solutions, runZero delivers complete and accurate visibility into every asset and exposure across internal, external, IT, OT, IoT, mobile, and cloud environments, including uncovering unknown and unmanageable devices and broad classes of exposures that evade other tools.
The company joins a cohort that has collectively raised over $7.8 billion, according to Pitchbook as of May 2025, and is defining the next era of cybersecurity across key areas like identity, application security, agentic AI, and security operations.
“The demand for cybersecurity innovation has never been greater. As the underlying technologies evolve and agentic AI reshapes everything from threat detection to team workflows, we’re witnessing a shift from reactive defense to proactive, intelligence-driven operations,” said Oren Yunger, Managing Partner at Notable Capital. “What makes this list special is that it reflects real-world validation — honorees were chosen by CISOs who face these challenges every day. Congratulations to this year’s Rising in Cyber companies for building the solutions that modern security leaders truly want and need.”
In celebration, honorees will be recognized today at the New York Stock Exchange (NYSE) alongside top security leaders and investors.
“We’re honored to be recognized as a Rising in Cyber 2025 company. runZero is challenging the status quo with a novel approach to exposure management that can finally provide defenders with the attack surface visibility and comprehensive risk detection required to protect complex, dynamic environments,” said Julie Albright, Chief Operating Officer for runZero. “As a disruptor in our space, it’s great to be acknowledged by CISOs who are in the trenches every day and who have struggled with outdated approaches to vulnerability management that are fundamentally broken. This recognition is a testament to the innovative approach we’ve taken and the meaningful impact we are making for teams responsible for securing their organizations against an increasingly challenging threat landscape.”
A new approach to exposure management
Leveraging innovative technology and proprietary discovery techniques, runZero provides organizations with the most complete and accurate visibility across their total attack surface, including unknown and unmanageable assets. On average, runZero enterprise customers report finding 25% more assets than they were previously aware of, with some environments yielding 10x more assets than security teams expected, radically expanding their view of their attack surfaces and the exposures within. These previously unknown assets are often those at the most risk.
Starting with a foundation of comprehensive visibility enables runZero to provide full-spectrum exposure detection across internal and external attack surfaces. Advanced fingerprinting methodologies build detailed, accurate profiles of each asset in the environment using a library of almost 1,000 attributes. This unmatched depth of data enables the platform to identify much broader classes of exposures going well beyond CVEs to identify risks that evade traditional vulnerability and external attack surface management solutions. runZero recently released new risk findings and dashboards, providing a novel paradigm for organizing, addressing, and tracking exposures over time.
Rising in Cyber is an annual list recognizing the most innovative startups in cybersecurity as determined by nearly 150 leading CISOs and cybersecurity executives. Nomination criteria included private, venture-backed companies with a primary product focus on cybersecurity and the U.S. as a primary market. For more information about the honorees, participating investors, and methodology, visit www.risingincyber.com.
About Notable Capital
Notable Capital is a global venture capital firm based in the U.S. focused on early-to-growth-stage companies in cloud infrastructure and business and consumer applications. The firm invests primarily in the U.S., Israel, Europe, and Latin America. Notable Capital portfolio companies include Affirm, Airbnb, Anthropic, Brightwheel, Drata, Fal.ai, Handshake, HashiCorp, Ibotta, Monte Carlo, Neon, Orca Security, Quince, Slack, Stori, Vercel, and more.
Notable Capital is a longtime investor in the global cybersecurity sector. Its investments include Bitsight, Descope, Drata, Gem Security (Acquired by Wiz), HashiCorp ($HCP, Acquired by IBM), Nozomi Networks, Orca Security, Torq, Tonic.io, and Vdoo (Acq by JFrog), and more. More information can be found at www.notablecap.com and @notablecap.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Expanded platform offers new approach to detecting and prioritizing risk, starting with comprehensive visibility across the total attack surface
AUSTIN, TEXAS — March 26, 2025 — runZero today established itself at the vanguard of a new era of exposure management, releasing new product capabilities, welcoming executive leadership with deep industry expertise, and gaining channel momentum.
runZero’s expanded platform offers a new approach to effectively manage the risk lifecycle, enabling security teams to find, prioritize, and remediate broad classes of exposures across internal and external attack surfaces, including those that evade traditional vulnerability and external attack surface management solutions. As a single source of truth for exposure management, runZero is the most effective and efficient way for organizations to proactively minimize risk across their total attack surface, including internal, external, IT, OT, IoT, mobile, and cloud environments.
“Our industry needs a paradigm shift if we’re going to successfully secure today’s complex attack surfaces. Legacy approaches are fundamentally flawed, starting with incomplete knowledge of the attack surface itself and inadequate exposure detection capabilities,” said HD Moore, founder and CEO of runZero. “Our goal is to help security teams get better outcomes, which means detecting and prioritizing the exposures that are most likely to be exploited, not flooding them with irrelevant alerts. runZero started by delivering comprehensive discovery across internal and external attack surfaces and is now leveraging novel techniques to uncover high-risk exposures that other solutions simply can’t detect.”
Overcoming persistent problems
Common Vulnerabilities and Exposures (CVEs) are the lingua franca of cybersecurity, having become synonymous with exposure — but not all vulnerabilities have CVEs. Serious misconfigurations, such as exposed databases, broken network segmentation, and unintentional exposure of management servers, are frequently the source of breaches, but rarely get the focus they deserve. Instead, organizations suffer through Sisyphean prioritization tasks that consume resources without reducing the likelihood of an incident.
Current approaches to vulnerability management only uncover a small subset of vulnerabilities, with significant delays, and only reliably identify these exposures under specific and optimal conditions. Models that focus on known-exploited CVEs, a tiny fraction of the total (0.05% according to the CISA KEV), are still leaving gaps measured in weeks that criminals exploit for financial gain.
Traditional tools also fail to discover and defend unknown and unmanageable assets, providing insurmountable challenges throughout the exposure detection and prioritization cycle. Starting with just a fraction of the attack surface makes it impossible to detect the full scope of exposures and prioritize accordingly.
As a result, organizations are spending enormous resources on remediation efforts while still missing the attack paths most likely to be exploited in their environment. Overcoming these persistent, decades-old problems requires a new approach.
A new approach to exposure management
Leveraging innovative technology and proprietary discovery techniques, runZero provides organizations the most complete and accurate visibility across their total attack surface, including unknown and unmanageable assets. On average, runZero enterprise customers report finding 25% more assets than they were previously aware of, with some environments yielding 10x more assets than security teams expected, radically expanding their view of their attack surfaces and the exposures within. These previously unknown assets are often those at the most risk, as they have not been properly tracked by either IT or security teams.
Starting with a foundation of comprehensive visibility enables runZero to provide full-spectrum exposure detection across internal and external attack surfaces. Advanced fingerprinting methodologies build detailed, accurate profiles of each asset in the environment using a library of almost 1,000 attributes. This unmatched depth of data enables the platform to identify much broader classes of exposures going well beyond CVEs to identify risks that evade traditional vulnerability and external attack surface management solutions.
“While runZero started out in the most complex side of ASM, namely the CAASM market, it is already expanding into EASM and broader exposure management use cases, which is a salutary development,” said Rik Turner, Senior Principal Analyst at Omdia. “Its CAASM background provides the most solid foundation for such a move, giving it valuable insights into a customer’s asset estate and making it a strong candidate for any ASM or exposure management project within an organization.”
With runZero, teams can uncover elusive exposures such as network segmentation failures, externally-exposed internal assets, missing security controls, insecure encryption keys, end-of-life software, prohibited devices, and misconfigured OT and IoT devices. runZero also enables organizations to quickly respond to zero days without rescanning by automatically querying data already captured in the fingerprinting process to immediately surface at-risk assets, including unmanaged devices.
In contrast to other solutions that flood teams with alerts, runZero employs data-driven risk prioritization, highlighting the most urgent exposures by leveraging business context, device impact, and meaningful attributes. With highly intuitive risk findings, security teams can focus on critical threats while understanding their broader implications across the attack surface.
Today’s release introduces new risk findings and dashboards, providing a novel paradigm for organizing, addressing, and tracking exposures over time. These findings address the most critical areas of risk, including:
Internet exposures: identifying internal assets unintentionally exposed to the internet
End-of-life systems: pinpointing assets running unsupported hardware or software
Open access services: detecting misconfigurations like unauthenticated databases or exposed management interfaces
Known exploited vulnerabilities: highlighting assets targeted by active threats, leveraging insights from CISA KEV and VulnCheck KEV catalogs
Compliance challenges: flagging instances of prohibited equipment or configuration issues that violate specific acquisition regulations
Certificates and shared keys: identifying a wide range of security issues with TLS certificates and SSH host keys, including expired (and nearly expired) certificates, as well as widely shared private keys
Best practice violations: uncovering asset and service configurations that violate security best practices such as authentication without encryption, obsolete protocol detection, and misconfigured services
Vulnerabilities: prioritizing issues based on both natively discovered and externally imported vulnerabilities
Rapid responses: detecting assets potentially vulnerable to emerging threats
Customers and users of runZero’s free Community Edition have immediate access to these new capabilities at no additional cost.
Channel growth fueling global expansion
runZero has teamed up with leading channel partners to introduce their unique exposure management capabilities to organizations around the globe.
Having grown significantly over the last year, the runZero Infinity Partner Program now encompasses North America, Europe, the Middle East, Africa, Australia, and Asia, including key partners such as Guidepoint (US), Distology (UK + Europe), Secon (UK), AmiViz (Middle East), Kappa Data (Western Europe), CyberCX (Australia), and KDSys (South Korea). These organizations serve as trusted advisors, with a focus on delivering value to their customers by identifying innovative solutions to help them meet today’s security challenges.
“We are thrilled to be partnering with runZero, adding their attack surface and exposure management technology to our expanding portfolio. This amazing product bolsters the Workspace area of the Distology portfolio, and we are excited to jointly take their message to market,” commented Sarah Geary, Chief Commercial Officer at Distology.
New leaders bring decades of experience in exposure management
runZero recently welcomed two industry experts to their leadership team, collectively bringing decades of experience in exposure management as the company continues to bring innovative solutions to market.
New Vice President of Product and Engineering, Brandon Turner, spent over a decade at Rapid7 working on platform delivery and engineering; in his new role at runZero he will leverage years of industry experience to craft solutions that meet the needs of teams securing complex, dynamic attack surfaces and continue to expand runZero’s exposure management capabilities.
Additionally, Tod Beardsley recently joined runZero as Vice President of Security Research. Having held leadership roles at Dell, TippingPoint, and Rapid7, he most recently served as a Section Chief for the US Cybersecurity and Infrastructure Security Agency (CISA) where he managed the Known Exploited Vulnerabilities (KEV) catalog, considered one of the most important sources of authoritative vulnerability information in the world.
“runZero is built around the idea of, ‘how would an attacker look at my network, and are there tricks that I can borrow from them to make sense of my enterprise?’ This unique approach to exposure management provides some of the most valuable introspective intelligence on your own network available,” said Beardsley. “I’m excited to join runZero as we introduce these new capabilities to help security teams proactively mitigate risk.”
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Rockwell Automation has disclosed a vulnerability in their GuardLogix and Compact GuardLogix products.
CVE-2025-24478 is rated high, with a CVSS score of 7.1. Successful exploitation of this vulnerability would allow attackers to create an unrecoverable denial-of-service condition, requiring power cycling of the device to restore function. This vulnerability is exploitable over the network and without authentication.
The following devices are affected by this vulnerability:
GuardLogix 5580 (SIL 3 with the safety partner 3): Versions prior to V33.017, V34.014, V35.013, V36.011
Compact GuardLogix 5380 SIL 3: Versions prior to V33.017, V34.014, V35.013, V36.011
Are updates or workarounds available?
Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible.
How to find potentially vulnerable systems with runZero
From the Asset Inventory, use the following query to locate potentially vulnerable systems:
hw:"Rockwell Automation%Logix%5_80"
October 2024: FactoryTalk ThinManager
Rockwell Automation has disclosed multiple vulnerabilities in their FactoryTalk ThinManager product.
CVE-2024-10386 is rated critical, with a CVSS v4 score of 9.3 and allows attackers with network access to send specially crafted packets that result in database manipulation.
CVE-2024-10387 is rated high, with CVSS v4 score of 8.7 and allows attackers with network access to send specially crafted packets to the device potentially triggering a denial-of-service.
The following versions are currently affected by these vulnerabilities:
ThinManager: Versions 11.2.0 to 11.2.9
ThinManager: Versions 12.0.0 to 12.0.7
ThinManager: Versions 12.1.0 to 12.1.8
ThinManager: Versions 13.0.0 to 13.0.5
ThinManager: Versions 13.1.0 to 13.1.3
ThinManager: Versions 13.2.0 to 13.2.2
ThinManager: Version 14.0.0
Are updates or workarounds available?
Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible. In addition, users are advised to limit communications to TCP 2031 to only the devices that need connection to the ThinManager.
How to find potentially vulnerable systems with runZero
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:"Rockwell Automation" AND tcp:2031
September 2024: ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix
Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.
Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
CVE-2024-6077 is rated high, with a CVSS v4 score of 8.7.
Are updates or workarounds available?
Rockwell Automation has released patches and guidance for affected systems. Users are advised to upgrade as quickly as possible. Users may also disable CIP security on these devices to mitigate the issue.
How to find potentially vulnerable systems with runZero
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")
August 2024: ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix
Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.
Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
CVE-2024-40619 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed CIP packet which causes a device to crash and require a manual restart.
Affected Product
First Known in Firmware Revision
Corrected in Firmware Revision
ControlLogix 5580
v34.011
v34.014+
GuardLogix 5580
v34.011
v34.014+
Are updates or workarounds available?
Rockwell Automation suggests updating devices to the corrected firmware revision.
CVE-2024-7515 is rated high with CVSS score of 8.6 and indicates a denial-of-service scenario due to a malformed PTP management packet which causes a device to crash and require a manual restart.
CVE-2024-7507 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed PCCC packet which causes a device to crash and require a manual restart.
Rockwell Automation suggests updating devices to the corrected firmware revision. Additionally, they recommend restricting communication to CIP object 103 (0x67).
Affected Product
Firmware Revision Prior To
Corrected in Firmware Revision
CompactLogix 5380 (5069 – L3z)
v36.011, v35.013, v34.014
v36.011, v35.013, v34.014
CompactLogix 5480 (5069 – L4)
v36.011, v35.013, v34.014
v36.011, v35.013, v34.014
ControlLogix 5580 (1756 – L8z)
v36.011, v35.013, v34.014
v36.011, v35.013, v34.014
GuardLogix 5580 (1756 – L8z)
v36.011, v35.013, v34.014
v36.011, v35.013, v34.014
Compact GuardLogix 5380 (5069 – L3zS2)
v36.011, v35.013, v34.014
v36.011, v35.013, v34.014
In all of the cases above users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.
How to find potentially vulnerable systems with runZero
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")
August 2024: ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules
On August 1st, 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules products.
CVE-2024-6242 is rated high with CVSS score of 7.3 and allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller.
Successful exploitation of these vulnerabilities on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.
Are updates or workarounds available?
Rockwell Automation recommends upgrade devices to apply fixes for the affected devices.
Affected Product
First Known in Firmware Revision
Corrected in Firmware Revision
ControlLogix® 5580 (1756-L8z)
V28
V32.016, V33.015, V34.014, V35.011 and later
GuardLogix® 5580 (1756-L8zS)
V31
V32.016, V33.015, V34.014, V35.011 and later
1756-EN4TR
V2
V5.001 and later
1756-EN2T , Series A/B/C
1756-EN2F, Series A/B
1756-EN2TR, Series A/B
1756-EN3TR, Series B
v5.007(unsigned) / v5.027(signed)
No fix is available for Series A/B/C. Users can upgrade to Series D to remediate this vulnerability
1756-EN2T, Series D
1756-EN2F, Series C
1756-EN2TR, Series C
1756-EN3TR, Series B
1756-EN2TP, Series A
1756-EN2T/D: V10.006
1756-EN2F/C: V10.009
1756-EN2TR/C: V10.007
1756-EN3TR/B: V10.007
1756-EN2TP/A: V10.020
V12.001 and later
Additionally, limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.
How runZero users found potentially vulnerable systems
From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:
hw:"1756-EN2" OR hw:"1756-EN3" OR hw:"1756-EN4"
April 2024: ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR
In April 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.
CVE-2024-3493 was rated high with CVSS score of 8.6 and involved a specific malformed fragmented packet type which could cause a major nonrecoverable fault (MNRF) in Rockwell Automation’s ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product would become unavailable and require a manual restart to recover it.
What was the impact?
Successful exploitation of these vulnerabilities resulted in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
Rockwell Automation provided software updates for the impacted versions.
Affected Product
First Known in Firmware Revision
Corrected in Firmware Revision
ControlLogix® 5580
V35.011
V35.013, V36.011
GuardLogix 5580
V35.011
V35.013, V36.011
CompactLogix 5380
V35.011
V35.013, V36.011
1756-EN4TR
V5.001
V6.001
How runZero users found potentially vulnerable systems
From the Asset Inventory, runZero users could use the following query to locate systems running potentially vulnerable software:
hw:"1756-EN4TR"
March 2024: Rockwell Automation PowerFlex 527
In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.
CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.
CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.
What was the impact?
Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.
Are updates or workarounds available?
Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.
Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.
How to find potentially vulnerable PowerFlex products
From the Asset Inventory, runZero users used the following query to locate systems running potentially vulnerable software:
hw.product:"powerflex"
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Siemens disclosed multiple vulnerabilities in various product lines:
SSA-111547 – cleartext storage of sensitive information in SIPROTEC 5 (CVSS score 5.1)
SSA-195895 – user enumeration vulnerability in the web server of SIMATIC Products (CVSS score 6.9)
SSA-224824 – denial of service vulnerabilities in SIMATIC S7-1200 CPU Family before V4.7 (CVSS score 8.7)
SSA-246355 – multiple vulnerabilities in Tableau Server Component of Opcenter Intelligence before V2501 (CVSS score 10.0)
SSA-342348 – insufficient session expiration vulnerability in Siemens SIMATIC PCS neo, TIA Administrator, and TIA Portal (CVSS score 8.7)
SSA-687955 – accessible development shell via physical interface in SIPROTEC 5 (CVSS score 7.0)
SSA-698820 – multiple vulnerabilities in FortiGate NGFW before V7.4.4 on RUGGEDCOM APE1808 devices (CVSS score 9.0)
SSA-767615 – information disclosure via SNMP in SIPROTEC 5 devices (CVSS score 8.7)
SSA-769027 – multiple vulnerabilities in SCALANCE W700 IEEE 802.11ax devices before V3.0.0 (CVSS score 8.6)
SSA-770770 – multiple vulnerabilities in FortiGate NGFW before V7.4.5 on RUGGEDCOM APE1808 devices (CVSS score 7.5)
What is the impact?
The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.
Are updates or workarounds available?
For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens’ website for more information about their operational guideline recommendation.
How to find potentially vulnerable systems
From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:
hw:"SCALANCE M8" OR hw:"SIMATIC" OR hw:"RUGGEDCOM" OR hw:"SCALANCE"
Ten vulnerabilities disclosed in Siemens products (December 2024)
Siemens disclosed ten vulnerabilities in a variety of Siemens products, including their RUGGEDCOM, SENTRON, and other product lines. These vulnerabilities have CVSS scores that range from 5.1 (moderate) to 8.6 (high).
The disclosed vulnerabilities range in severity. For the most the critical vulnerabilities, unauthenticated remote attackers could perform unauthorized administrative actions if they are able to get a local user to click on a malicious link. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information.
Siemens has released updated patches for these vulnerabilities. Siemens also recommends that all systems be kept behind firewalls and have unnecessary services disabled.
How to find potentially vulnerable systems
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:Siemens
Multiple vulnerabilities (November 2024)
Siemens disclosed multiple vulnerabilities in various product lines:
SSA-354112 – multiple vulnerabilities in SCALANCE M-800 Family devices (CVSS score 8.6)
SSA-654798 – unauthenticated remote access to the filesystem in SIMATIC CP devices (CVSS score 8.7)
SSA-454789 – deserialization of untrusted data in TeleControl Server (CVSS score 10.0)
What is the impact?
The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.
Are updates or workarounds available?
For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens’ website for more information about their operational guideline recommendation.
How to find potentially vulnerable systems
From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:
hw:"SCALANCE M8" OR hw:"SCALANCE S615" OR hw:"SIMATIC CP" OR (os:"Windows" AND tcp_port:26865)
35 vulnerabilities (September 2024)
Siemens disclosed 35 vulnerabilities in a variety of Siemens products, including their LOGO!, SIMATIC, SINEMA, and other product lines. These vulnerabilities have CVSS scores that range from 4.3 (moderate) to 10 (extremely critical).
The most critical vulnerabilities disclosed include:
SSA-832273 – multiple vulnerabilities in RUGGEDOM devices (CVSS score 9.8)
SSA-721642 – multiple vulnerabilities in SCALANCE devices (CVSS score 9.1)
SSA-673996 – multiple vulnerabilities in SICAM and SITIPE devices (CVSS score 8.2)
SSA-629254 – remote code execution vulnerability in SIMATIC SCADA and PCS 7 systems (CVSS score 9.1)
SSA-455250 – multiple vulnerabilities in RUGGEDCOM devices (CVSS score 9.8)
SSA-039007 – heap-based buffer overflow in the Siemens User Management Console component (CVSS score 9.8)
The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information.
For most of the disclosed vulnerabilities, Siemens has released updates or patches. However, some vulnerabilities mentioned above, including some critical vulnerabilities, do not have patches released and it is unclear when such updates would be available. Siemens recommends that all systems be kept behind firewalls and have unnecessary services disabled.
How to find potentially vulnerable systems
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:Siemens
SCALANCE and RUGGEDCOM products (August 2024)
Siemens disclosed multiple vulnerabilities for a variety of products and devices, including the SCALANCE and RUGGEDCOM product lines.
CVE-2024-41976 is rated high, with a CVSS score of 7.2, and allows an attacker to issue invalid VPN configuration data causing an authenticated attacker to execute arbitrary code.
CVE-2024-41977 is rated high, with a CVSS score of 7.1, and allows an attacker to escalate their privileges due to devices not properly enforcing user session isolation.
CVE-2024-41978 is rated high, with a CVSS score of 6.5, and allows an authenticated attacker to forge 2FA tokens of other users due to devices storing sensitive 2FA information in log files on disk.
CVE-2024-44321 is rated medium, with a CVSS score of 2.7, and allows an attacker to issue large input data causing an unauthenticated denial-of-service.
Successful exploitation of this vulnerability would allow an authenticated attacker to remotely execute code, escalate their privileges, or forge other users credentials. The first three do require attacks be authenticated initially to exploit these vulnerabilities.
The last vulnerability is on the lower score, but would still require the device be restarted if the denial-of-service condition was triggered.
Siemens recommends upgrading all affected devices to firmware V8.1 or later. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted network traffic to the device.
How to find potentially vulnerable systems
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
CVE-2024-35292 is rated high, with a CVSS score of 8.2, and allowed attackers to predict IP ID sequence numbers as their base method of attack and eventually could allow an attacker to create a denial-of-service condition.
Successful exploitation of this vulnerability would allow an attacker to issue a denial-of-service condition.
The only workaround was to restrict access to the network where the affected products were located by introducing strict access control mechanisms.
How to find potentially vulnerable systems
From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:
hw:SIMATIC
SENTRON, SCALANCE, and RUGGEDCOM vulnerabilities (March 2024)
In March, 2024, Siemens released security advisories for a variety of products and devices, including the SENTRON, SCALANCE, and RUGGEDCOM product lines.
Several of the vulnerabilities had CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).
Several of these vulnerabilities allowed for unauthenticated remote code execution, allowing for compromise of the vulnerable systems. Other vulnerabilities could lead to privilege escalation, information disclosure, or denial of service. Users were urged to upgrade as quickly as possible.
Siemens released updates via a variety of channels. See Siemens ProductCERT for details.
How to find potentially vulnerable systems
From the Asset Inventory, runZero users applied the following query to locate Siemens assets that were potentially vulnerable:
hardware:Siemens OR hardware:RuggedCom
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
