CVE-2024-41988 CRITICAL

CVE-2024-41988: Missing Authentication for Critical Function vulnerability in TEM Opera Plus FM Family Transmitter

Vendor Tem
Product Opera Plus FM Family Transmitter
Weakness CWE-306 · Missing auth
Published October 3, 2024
Last update October 3, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code.

Key dates

02Disclosure timeline

October 3, 2024 CVE published
October 3, 2024 Record updated