CVE-2024-50372 CRITICAL

CVE-2024-50372

Vendor Advantech

Product EKI-6333AC-2G

Weakness CWE-78

Published November 26, 2024

Last update November 26, 2024

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "backup_config_to_utility" operation.

Key dates

02Disclosure timeline

November 26, 2024 CVE published

November 26, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-50372 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2024-50372

CWE CWE-78

CVSS 9.8 / CRITICAL

Affected versions

Vendor Advantech

Product EKI-6333AC-2G

Affected ≤ <= 1.6.3

Vendor Advantech

Product EKI-6333AC-2GD

Affected ≤ <= 1.6.3

Vendor Advantech

Product EKI-6333AC-1GPO

Affected ≤ <= 1.2.1

CVE-2024-50372

01Description

02Disclosure timeline

03References

04Related CVE