Modbus write amplification in Axion PLC gateway
A single crafted Modbus/TCP frame fans out into hundreds of register writes on downstream serial PLCs, letting a low-bandwidth attacker stall a control loop and trip safety interlocks.
- Vendor
- Axion Controls
- Product
- EdgeLink MB-200 protocol gateway
- Severity
- High · CVSS 7.8
- Target
- Industrial control
- Disclosed
- Status
- Patched in gateway firmware 2.9
Overview
The EdgeLink MB-200 bridges Modbus/TCP from a plant network to legacy RS-485 PLC segments. Its multi-write handler expands a function-code 16 request into per-register transactions on the serial side.
No upper bound is enforced on the register count field, so a frame claiming the maximum span is faithfully replayed as a storm of serial writes.
Impact
The serial bus saturates, scan cycles miss their deadline, and watchdog logic on connected PLCs trips to a safe state — an operational outage triggered by a few kilobytes of traffic.
Remediation
Firmware 2.9 clamps the register count to the addressable map and rate-limits serial fan-out. Defenders should also segment OT traffic and deny Modbus from untrusted VLANs.
Disclosure timeline
- Disclosure to Axion Controls
- Vendor reproduces issue
- Firmware 2.9 released
- Advisory published