ExploitCVE-2024-5951
Missing Authentication for Critical Function (CWE-306)
Summary
This vulnerability affects Deep Sea Electronics DSE855 devices, allowing network-adjacent attackers to bypass authentication on the web-based UI. The specific flaw stems from a lack of authentication prior to allowing access to functionality. This vulnerability is classified as CWE-306: Missing Authentication for Critical Function.
Impact
Attackers can leverage this vulnerability to create a denial-of-service condition on the system. The CVSS v3 base score is 7.1 (High), with the following impacts: - Integrity Impact: Low - Availability Impact: High - Confidentiality Impact: None The attack vector is adjacent network, requires no user interaction, and no privileges. This suggests that while the attacker needs to be on the same network, the exploit is relatively easy to perform and can significantly disrupt system availability.
Exploitation
One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.
Patch
As of the latest update (May 24, 2024), no patch is available. The vendor has not responded to the Zero Day Initiative's (ZDI) attempts to communicate about this vulnerability, and it is being published as a zero-day advisory on June 13, 2024.
Mitigation
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. Security teams should prioritize isolating affected Deep Sea Electronics DSE855 devices from untrusted network segments to reduce the risk of exploitation.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Timeline
NVD published the first details for CVE-2024-5951
Feedly found the first article mentioning CVE-2024-5951. See article
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.04% (Percentile: 9%)
A CVSS base score of 7.1 has been assigned.
A CVSS base score of 6.5 has been assigned.
A CVSS base score of 6.5 has been assigned.