CVE-2024-2012

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Published: Jun 11, 2024 / Updated: 5mo ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

A vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited, an attacker could use to allow unintended commands or code to be executed on the UNEM server, allowing sensitive data to be read or modified or could cause other unintended behavior. This affects Hitachi Energy's FOXMAN-UN versions r15a, r15b-pc4, r16a, r16b-pc2, and UNEM versions r15a, r15b-pc4, r15b-pc5, r16a, r16b-pc2.

Impact

An attacker who successfully exploits this vulnerability could execute arbitrary code on the UNEM server, potentially leading to data theft, data tampering, or other malicious actions. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates: - Network-based attack vector (AV:N) - Low attack complexity (AC:L) - No privileges required (PR:N) - No user interaction needed (UI:N) - Unchanged scope (S:U) - High impact on confidentiality, integrity, and availability (C:H/I:H/A:H) The critical severity score emphasizes the urgent need for patching and remediation efforts.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Patch details can be found at https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201&languageCode=en&Preview=true. The patch was added on 2024-08-15.

Mitigation

While specific mitigations were not provided in the vulnerability data, potential mitigation strategies include: 1. Apply the available patch from Hitachi Energy as soon as possible. 2. Restrict network access to the FOXMAN-UN/UNEM server and API Gateway. 3. Implement strong authentication mechanisms and access controls. 4. Monitor for suspicious activities or unauthorized access attempts. 5. Keep all systems and software up-to-date with the latest security patches. 6. Implement network segmentation to isolate critical systems. 7. Conduct regular security assessments and penetration testing.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-2012. See article

Jun 11, 2024 at 2:08 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 11, 2024 at 2:08 PM
CVE Assignment

NVD published the first details for CVE-2024-2012

Jun 11, 2024 at 2:15 PM
CVSS

A CVSS base score of 9.1 has been assigned.

Jun 11, 2024 at 2:21 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 8.9%)

Jun 12, 2024 at 1:34 PM
Static CVE Timeline Graph

Affected Systems

Hitachienergy/unem
+null more

Patches

publisher.hitachienergy.com
+null more

Links to Mitre Att&cks

T1083: File and Directory Discovery
+null more

Attack Patterns

CAPEC-127: Directory Indexing
+null more

News

US-CERT Vulnerability Summary for the Week of June 10, 2024
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of June 10, 2024
Vulnerability Summary for the Week of June 10, 2024
Vulnerability Summary for the Week of June 10, 2024 bjackson Jun 17, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info actpro -- extra_product_options_for_woocommerce Missing Authorization vulnerability in actpro Extra Product Options for WooCommerce.This issue affects Extra Product Options for WooCommerce: from n/a through 3.0.6. 2024-06-10 8.8 CVE-2024-35727 audit@patchstack.com adfinis--document-merge-service Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed. 2024-06-11 9.9 CVE-2024-37301 security-advisories@github.com security-advisories@github.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. 2024-06-13 9.8 CVE-2024-34102 psirt@adobe.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but admin privileges are required 2024-06-13 9.1 CVE-2024-34108 psirt@adobe.com Adobe--Adobe Commerce Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation.
@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 24 - SANS Institute
Product: ProjectDiscovery Interactsh CVSS Score: 9.8 NVD: NVD References: - - CVE-2024-4295 - The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection in versions up to 5.7.20, allowing unauthenticated attackers to extract sensitive information from the database. Product: Zyxel NAS326 CVSS Score: 9.8 NVD: NVD References: - - CVE-2024-4552 - The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass through social login, allowing unauthenticated attackers to log in as any existing user on the site, up to version 1.6.0.
CVE-2024-2012 - vulnerability exists in the FOXMAN-UN/UNEM server
CVE ID : CVE-2024-2012 Published : June 11, 2024, 2:15 p.m. 12 hours, 59 minutes ago Description : vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway that if exploited an attacker could use to allow unintended commands or code to be executed on the UNEM server allowing sensitive data to be read or modified or could cause other unintended behavior Severity: 9.1 CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI