CVE-2024-22077 identifies a security vulnerability in Elspec G5 digital fault recorders, specifically in versions 1.1.4.15 and earlier. The core issue is the weak permission settings on the SQLite database file used by the device. SQLite databases often contain critical operational data, logs, and configuration information. Weak permissions mean that unauthorized users or processes with local or network access could read the database contents, potentially exposing sensitive information about the device’s operation or the monitored electrical grid. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), and the scope is unchanged (S:U). The impact is limited to confidentiality (C:L) with no impact on integrity or availability. This vulnerability is classified under CWE-280, which relates to improper access control or permissions. While no public exploits have been reported, the exposure of sensitive data could facilitate further attacks or information leakage. The Elspec G5 device is commonly used in power grid monitoring and fault recording, making it a critical component in industrial control systems (ICS). The lack of secure file permissions on such a device could undermine operational security and privacy. Organizations relying on these devices should audit file permissions, restrict access to trusted personnel and systems, and monitor network traffic for anomalies. The absence of vendor patches at the time of reporting necessitates immediate compensating controls to mitigate risk.

The primary impact of CVE-2024-22077 is the potential unauthorized disclosure of sensitive operational data stored in the SQLite database of Elspec G5 digital fault recorders. This could allow attackers to gain insights into the electrical grid’s fault conditions, configurations, or operational parameters, which may be leveraged for further targeted attacks or espionage. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach could undermine trust in the device’s security and lead to indirect operational risks. For organizations managing critical infrastructure, such as power utilities, exposure of fault recorder data could reveal vulnerabilities or operational patterns to adversaries, increasing the risk of sabotage or disruption. The ease of exploitation over the network without authentication raises the threat level, especially in environments with insufficient network segmentation or access controls. The lack of known exploits suggests limited current exploitation but does not preclude future attacks. Overall, the vulnerability poses a moderate risk to confidentiality with potential cascading effects on operational security in industrial environments.

To mitigate CVE-2024-22077, organizations should immediately audit the file permissions on the SQLite database files within Elspec G5 devices to ensure they are restricted to authorized system processes and administrators only. Network access to these devices should be tightly controlled using firewalls, VLAN segmentation, and access control lists to limit exposure to trusted hosts. Implement strict role-based access controls (RBAC) and ensure that only necessary personnel have administrative privileges on the devices. Monitor device logs and network traffic for unusual access patterns or attempts to read the database files. Since no official patches are currently available, consider deploying host-based intrusion detection systems (HIDS) or endpoint protection solutions capable of alerting on unauthorized file access. Engage with the vendor for updates or patches and plan for timely deployment once available. Additionally, incorporate these devices into the broader industrial control system security framework, including regular security assessments and penetration testing focused on file permissions and access controls. Document and enforce secure configuration baselines for all critical ICS components.