CVE-2024-22809 is an access control vulnerability identified in the Tormach xsTECH CNC Router PathPilot Controller version 2.9.6. The flaw arises from improper enforcement of access permissions on the shared folder containing G code files, which are critical instructions used by CNC machines to perform manufacturing tasks. Due to this incorrect access control, attackers with network access can view the contents of the G code shared folder without requiring any authentication or user interaction. The vulnerability is classified under CWE-228 (Improper Access Control), indicating a failure to restrict access to sensitive resources properly. The CVSS 3.1 base score is 6.5, with the vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack can be performed remotely over a network with low attack complexity, no privileges, and no user interaction, resulting in a high confidentiality impact but no integrity or availability impact. No patches or mitigations have been officially released yet, and no exploits have been reported in the wild. The vulnerability primarily threatens the confidentiality of proprietary manufacturing data, which could be leveraged for industrial espionage or intellectual property theft.

The primary impact of CVE-2024-22809 is the unauthorized disclosure of sensitive G code files, which contain detailed instructions for CNC machining processes. Exposure of these files can lead to intellectual property theft, loss of competitive advantage, and potential sabotage if attackers analyze or replicate manufacturing processes. While the vulnerability does not allow modification or disruption of the CNC operations, the confidentiality breach alone can have significant financial and reputational consequences for affected organizations. Industrial manufacturers relying on Tormach xsTECH CNC Routers are at risk, especially those producing proprietary or sensitive components. The lack of required privileges or user interaction lowers the barrier for exploitation, increasing the likelihood of unauthorized access if network controls are insufficient. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits over time.

To mitigate CVE-2024-22809, organizations should implement strict network segmentation and access controls to limit exposure of the PathPilot Controller to trusted networks only. Use firewalls or VLANs to isolate CNC controllers from general corporate or internet-facing networks. Employ strong monitoring and logging of file access to detect unauthorized attempts to view the G code shared folder. If possible, disable or restrict SMB or other file sharing protocols used by the controller to share G code files. Regularly audit user and device permissions to ensure no unintended access paths exist. Until an official patch or update is released by Tormach, consider manual review and restriction of shared folder permissions on the controller. Engage with the vendor for updates and apply patches promptly once available. Additionally, educate staff on the sensitivity of G code files and enforce policies to prevent unauthorized copying or transmission.