CVE-2024-2413 CRITICAL

CVE-2024-2413: Intumit SmartRobot - Use of Hard-coded Cryptographic Key

Vendor Intumit
Product SmartRobot
Weakness CWE-321
Published March 13, 2024
Last update April 15, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.

Key dates

02Disclosure timeline

March 13, 2024 CVE published
April 15, 2025 Record updated