CVE-2024-2637 is an Uncontrolled Search Path Element vulnerability (CWE-427) affecting multiple products from B&R Industrial Automation, including Scene Viewer, Automation Runtime, mapp Vision, mapp View, mapp Cockpit, mapp Safety, VC4, APROL, various CAN Drivers, Touch Lock, Single-Touch Driver, Serial User Mode Touch Driver, Windows Settings Changer variants, Windows 10 Recovery Solution, ADI drivers and SDKs, SRAM driver, HMI Service Center and Maintenance, Windows 10 IoT Enterprise 2019 LTSC, and KCF Editor. The vulnerability arises because these products improperly handle the search path used to locate executable files or libraries, allowing an authenticated local attacker to place specially crafted files in the search path. When the affected software loads resources or executables, it may inadvertently execute malicious code from these attacker-controlled locations. This can lead to local code execution with the privileges of the affected application. The vulnerability affects versions prior to specified fixed releases (e.g., Scene Viewer before 4.4.0, Automation Runtime before J4.93, etc.). Exploitation requires local authentication, meaning the attacker must have valid access to the system. There is no indication that user interaction beyond authentication is needed. No known exploits are currently reported in the wild. The vulnerability impacts the confidentiality, integrity, and availability of the affected systems by enabling unauthorized code execution, potentially allowing attackers to manipulate industrial automation processes or disrupt operations. Given the broad range of affected products used in industrial control and automation environments, this vulnerability poses a significant risk to operational technology (OT) environments relying on B&R Industrial Automation solutions.

For European organizations, particularly those operating in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability could have serious consequences. Successful exploitation could allow an authenticated insider or a compromised local user to execute arbitrary code, potentially leading to sabotage, data manipulation, or disruption of industrial processes. This could result in production downtime, safety hazards, financial losses, and damage to reputation. Given the integration of B&R Industrial Automation products in sectors such as automotive manufacturing, energy, and utilities across Europe, the vulnerability could impact operational continuity and safety. Furthermore, the ability to execute code locally could be leveraged as a foothold for lateral movement within industrial networks, increasing the risk of broader compromise. The medium severity rating reflects the requirement for local authentication, but the critical nature of industrial control systems elevates the potential impact. Organizations with remote access solutions or weak local access controls may face increased risk. The lack of known exploits in the wild suggests limited immediate threat but does not diminish the urgency of remediation due to the potential for high-impact attacks in sensitive environments.

1. Immediate application of vendor patches and updates to all affected B&R Industrial Automation products is the most effective mitigation. Organizations should prioritize upgrading to fixed versions as listed in the advisory. 2. Restrict and monitor local access to systems running affected software. Implement strict access controls, including multi-factor authentication for local logins where possible, to reduce risk of unauthorized local access. 3. Employ application whitelisting and integrity monitoring on industrial control systems to detect and prevent execution of unauthorized or malicious binaries placed in search paths. 4. Review and harden system configurations to limit writable directories in the search path, ensuring that only trusted locations are used for executable loading. 5. Conduct regular audits of installed software versions and patch status across OT environments to identify and remediate vulnerable instances promptly. 6. Segment industrial networks to limit lateral movement opportunities if local compromise occurs. 7. Implement robust logging and alerting for suspicious file creation or modification in directories involved in executable loading paths. 8. Educate and train local users and administrators on the risks of placing unauthorized files in system paths and the importance of following security policies. These measures, combined with patching, will reduce the attack surface and mitigate exploitation risk beyond generic advice.