CVE-2024-12903 HIGH

CVE-2024-12903: Incorrect default permissions in Biamp Evoko Home

Vendor Biamp
Product Evoko Home Service
Weakness CWE-276
Published December 23, 2024
Last update December 24, 2024

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Incorrect default permissions vulnerability in Evoko Home, affecting version 2.4.2 to 2.7.4. A non-admin user could exploit weak file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. It has been identified that full control permissions exist on the ‘Everyone’ group (i.e. any user who has local access to the operating system regardless of their privileges).

Key dates

02Disclosure timeline

December 23, 2024 CVE published
December 24, 2024 Record updated