CVE-2024-23962 MEDIUM

CVE-2024-23962: Alpine Halo9 Missing Authentication

Vendor Alpine
Product Halo9
Weakness CWE-200 · Info exposure
Published January 30, 2025
Last update July 1, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DLT interface, which listens on TCP port 3490 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device.

Key dates

02Disclosure timeline

January 30, 2025 CVE published
July 1, 2025 Record updated