CVE-2024-13872

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-13872
Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1 Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:bitdefender:box_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bitdefender:box:-:*:*:*:*:*:*:*
History

30 Jul 2025, 00:39

Type Values Removed Values Added
First Time Bitdefender box
Bitdefender
Bitdefender box Firmware
CPE cpe:2.3:h:bitdefender:box:-:*:*:*:*:*:*:*
cpe:2.3:o:bitdefender:box_firmware:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
Summary
  • (es) Bitdefender Box, versiones 1.3.11.490 a 1.3.11.505, utiliza el protocolo HTTP inseguro para descargar recursos a través de Internet y actualizar y reiniciar daemons y reglas de detección en los dispositivos. Las actualizaciones se pueden activar remotamente mediante el método de API /set_temp_token. Un atacante no autenticado y adyacente a la red puede usar técnicas de intermediario (MITM) para devolver respuestas maliciosas. Los daemons reiniciados que utilizan recursos maliciosos pueden ser explotados para la ejecución remota de código en el dispositivo.
References () https://bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1 - () https://bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1 - Vendor Advisory

12 Mar 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-12 12:15

Updated : 2025-07-30 00:39

NVD link : CVE-2024-13872

Mitre link : CVE-2024-13872

CVE.ORG link : CVE-2024-13872

JSON object : View

Products Affected

bitdefender

  • box_firmware
  • box
CWE
CWE-319

Cleartext Transmission of Sensitive Information