CVE-2024-28140

CVE-2024-28140: Violation of Least Privilege Principle

Vendor Image Access Gmbh
Product Scan2Net
Weakness CWE-250
Published December 11, 2024
Last update November 3, 2025

CVSS base score

What the vulnerability does

01Description

The scanner device boots into a kiosk mode by default and opens the Scan2Net interface in a browser window. This browser is run with the permissions of the root user. There are also several other applications running as root user. This can be confirmed by running "ps aux" as the root user and observing the output.

Key dates

02Disclosure timeline

December 11, 2024 CVE published
November 3, 2025 Record updated