CVE-2024-13872 CRITICAL

CVE-2024-13872: Bitdefender Box Insecure Update Mechanism Vulnerability in libboxhermes.so

Vendor Bitdefender
Product BOX v1
Weakness CWE-319 · Cleartext transmission
Published March 12, 2025
Last update March 12, 2025

CVSS base score

9.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device.

Key dates

02Disclosure timeline

March 12, 2025 CVE published
March 12, 2025 Record updated