CVE-2024-13089 HIGH

CVE-2024-13089: Authenticated RCE in update functionality in Guardian/CMC before 24.6.0

Vendor Nozomi Networks

Product Guardian

Weakness CWE-78

Published June 10, 2025

Last update June 10, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands. Users with administrative privileges may upload update packages to upgrade the versions of Nozomi Networks Guardian and CMC. While these updates are signed and their signatures are validated prior to installation, an improper signature validation check has been identified. This issue could potentially enable users to execute commands remotely on the appliance, thereby impacting confidentiality, integrity, and availability.

Key dates

02Disclosure timeline

June 10, 2025 CVE published

June 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-13089 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2024-13089

CWE CWE-78

CVSS 7.5 / HIGH

Affected versions

Vendor Nozomi Networks

Product Guardian

Affected < 24.6.0

Vendor Nozomi Networks

Product CMC

Affected < 24.6.0

CVE-2024-13089: Authenticated RCE in update functionality in Guardian/CMC before 24.6.0

01Description

02Disclosure timeline

03References

04Related CVE