“Fragnesia” Vulnerability in groov EPIC and RIO

Applies To:

Firmware for the following groov EPICs:

GRV-EPIC-PR1
GRV-EPIC-PR2

Firmware for the following groov RIOs:

GRV-R7-MM1001-10
GRV-R7-MM2001-10
GRV-R7-I1VAPM-3

Versions Affected:

4.0.0 to 4.1.1

Resolved In Version:

4.1.2

Symptoms:

The “Fragnesia” vulnerability in the Linux kernel in groov EPIC processors and groov RIO modules could be exploited by an attacker to obtain unauthorized administrative (or root-level) privileges to your EPIC or RIO by crafting specific logic through these applications:

Node-RED
CODESYS
Shell access (SSH)

This vulnerability is identified in the National Vulnerability Database as: CVE-2026-46300

Workaround:

Your groov device is designed with several cybersecurity features to help prevent unauthorized users from accessing your device and to protect the services that run on it, like groov Manage, Node-RED, CODESYS, or shell (SSH). The following cybersecurity features offer the highest level of protection when implemented with the described best practices:

Accounts—Always create cryptographically strong, unique passwords for all user accounts, and protect these account credentials. When you first started using your groov device, you created an administrator account. You are responsible for protecting this account, along with any subsequent accounts you may have created. (Remember: There is no default user account).
Firewall Configuration—The default firewall configurations on a groov device provide limited access to the services that run on it. If you change the default configurations, ensure that they restrict access from untrusted networks. For instructions on configuring the firewall, review the section “Configuring the Firewall” in the following user guides:
- groov EPIC User’s Guide (form 2267)
- groov RIO Universal I/O User’s Guide (form 2324)
- groov RIO EMU User’s Guide (form 2372)
Network Zoning—The network interfaces (ETH0/ETH1, WLAN0, and VPN0) on a groov device do not communicate with each other, which helps support network zoning: dividing OT networks (which typically do not have internet access) from IT networks (which typically do have internet access).

If you believe your implementation of these cybersecurity features might have been compromised (thereby exposing your groov device to this vulnerability), you should implement the following mitigations:

If you’re not using Node-RED, disable it. To disable Node-RED:
1. Log into your groov device with a user ID that has administrator privileges.
2. In the groov Manage Home page, click Node-RED.
3. In the Runtime field, click Disable.
4. groov Manage prompts you to confirm that you want to disable Node-RED. Click OK.
5. Wait for the Status field to display Disabled to ensure Node-RED is disabled.
If you're not using CODESYS, disable it. To disable CODESYS:
1. Log into your groov device with a user ID that has administrator privileges.
2. In the groov Manage Home page, click Controller.
3. In the Runtime field, click Disable.
4. groov Manage prompts you to confirm that you want to disable CODESYS. Click OK.
5. Wait for the Status field to display Disabled to ensure CODESYS is disabled.
If you are using shell (SSH) access, do one of the following:
- In shell, prevent loading of the esp4 and esp6 kernel modules. Contact Product Support for instructions.
- Disable shell (SSH) access:
  1. Log into your groov device with a user ID that has administrator privileges.
  2. From the groov Manage Home page, click System > Shell.
  3. If shell access is enabled, enter your shell username and password, then click Disable.

Resolution:

Opto 22 has resolved this issue.

Questions?

Contact: Opto 22 Product Support.
Phone: 800-835-6786 or 951-695-3080
Email: support@opto22.com

DISCLAIMER

This Opto 22 Knowledge Base ('OptoKB') article is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this OptoKB article is not intended to constitute application, design, software, or other professional engineering advice or services. Opto 22 may modify the OptoKB articles at any time. Before making any decision or taking any action which might affect your equipment, you should consult a qualified professional.

OPTO 22 DOES NOT WARRANT THE COMPLETENESS, TIMELINESS, OR ACCURACY OF THE DATA CONTAINED IN THIS OPTOKB ARTICLE AND MAY MAKE CHANGES THERETO AT ANY TIME AT ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS 'AS IS.' IN NO EVENT SHALL OPTO 22 BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT, OR DAMAGE, EVEN IF OPTO 22 HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES.

OPTO 22 DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED WITH RESPECT TO THE INFORMATION (INCLUDING HARDWARE, SOFTWARE, AND/OR FIRMWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTIBILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not sanction the exclusion of implied warranties: thus, this disclaimer may not apply to you.