CVE-2024-13871 CRITICAL

CVE-2024-13871: Unauthenticated Command Injection in Bitdefender BOX v1

Vendor Bitdefender
Product BOX v1
Weakness CWE-77
Published March 12, 2025
Last update March 12, 2025

CVSS base score

9.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution (RCE).

Key dates

02Disclosure timeline

March 12, 2025 CVE published
March 12, 2025 Record updated