The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices, resulting in an origin validation error

Vulnerability

Auto-Maskin DCU-210E and RP-210E devices, versions prior to 3.7 on ARMv7, implement an undocumented custom protocol to establish Modbus communications. The originating device broadcasts the plaintext message 48:65:6c:6c:6f:20:57:6f:72:6c:64 ("Hello World") over UDP ports 44444-44446 to the LAN broadcast address. Any listening device on the same network responds with a plaintext UDP packet containing its device model and firmware version, after which Modbus traffic (port 502 TCP) is allowed between the two devices. The protocol performs no validation of the source or destination device identities. This flaw is categorized as an origin validation error (CWE-346) [1][2].

Exploitation

An attacker must have network access to the same LAN segment as vulnerable devices. No authentication, user interaction, or special privileges are required. The attacker can spoof a broadcast message or replay a captured exchange, causing a targeted device to respond with its model and firmware version. Once the device has responded, the attacker can transmit arbitrary Modbus commands over TCP on port 502 without additional verification [1][2].

Impact

Successful exploitation allows an attacker to observe device metadata (model and firmware) by capturing plaintext responses. More critically, the attacker can inject arbitrary Modbus control messages into the connected engine control system, potentially altering device operations. This results in high confidentiality and high integrity impact, as an attacker can both read device information and modify process control data. The CVSS v3 base score for this vulnerability (CVE-2018-5400) is 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) [1].

Mitigation

As of the original disclosure date (2018-10-06), the vendor had not released an update to address this vulnerability. CERT/CC advised that critical control devices should only be accessible via private, carefully secured networks [2]. Later, in CISA advisory ICSA-20-051-04 (February 2020), affected versions were listed as RP210E and DCU210E versions 3.7 and prior, but no patch was explicitly mentioned. Operators should isolate these devices behind firewalls, restrict UDP broadcast traffic on ports 44444-44446, and monitor network segments for unauthorized Modbus activity [1][2]. If a fixed firmware version has been released subsequently, it is not documented in the available references.