CVE-2024-13870: Unauthenticated Firmware Downgrade in Bitdefender Box v1

1.8 CVSS

Description

An improper access control vulnerability exists in Bitdefender Box 1 (firmware version 1.3.52.928 and below) that allows an unauthenticated attacker to downgrade the device's firmware to an older, potentially vulnerable version of a Bitdefender-signed firmware. The attack requires Bitdefender BOX to be booted in Recovery Mode and that the attacker be present within the WiFi range of the BOX unit.

Classification

CVE ID: CVE-2024-13870

CVSS Base Severity: LOW

CVSS Base Score: 1.8

CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N

Problem Types

CWE-1328: Security Version Number Mutable to Older Versions

Affected Products

Vendor: Bitdefender

Product: BOX v1

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 1.59% (scored less or equal to compared to others)

EPSS Date: 2025-04-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-13870
https://bitdefender.com/support/security-advisories/unauthenticated-firmware-downgrade-in-bitdefender-box-v1

Timeline

2025-03-12 12:40:18 UTC
CVE

Unauthenticated Firmware Downgrade in Bitdefender Box v1