CVE-2024-11969: Incorrect default permissions in Cradlepoint NetCloud Exchange

8.8 CVSS

Description

The NetCloud Exchange client for Windows, version 1.110.50, contains an insecure file and folder permissions vulnerability. A normal (non-admin) user could exploit the weakness in file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. It has been identified that full control permissions exist on the ‘Everyone’ group (i.e. any user who has local access to the operating system regardless of their privileges).

Classification

CVE ID: CVE-2024-11969

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

Affected Products

Vendor: Cradlepoint

Product: NetCloud Exchange Client

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-default-permissions-cradlepoint-netcloud-exchange

Timeline

2024-11-29 00:10:21 UTC
CVE

Incorrect default permissions in Cradlepoint NetCloud Exchange