CVE-2024-13870 LOW

CVE-2024-13870: Unauthenticated Firmware Downgrade in Bitdefender Box v1

Vendor Bitdefender
Product BOX v1
Weakness CWE-1328
Published March 12, 2025
Last update March 12, 2025

CVSS base score

1.8/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N

What the vulnerability does

01Description

An improper access control vulnerability exists in Bitdefender Box 1 (firmware version 1.3.52.928 and below) that allows an unauthenticated attacker to downgrade the device's firmware to an older, potentially vulnerable version of a Bitdefender-signed firmware. The attack requires Bitdefender BOX to be booted in Recovery Mode and that the attacker be present within the WiFi range of the BOX unit.

Key dates

02Disclosure timeline

March 12, 2025 CVE published
March 12, 2025 Record updated