CVE-2024-13872: Bitdefender Box Insecure Update Mechanism Vulnerability in libboxhermes.so

9.4 CVSS

Description

Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device.

Classification

CVE ID: CVE-2024-13872

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem Types

CWE-319: Cleartext Transmission of Sensitive Information

Affected Products

Vendor: Bitdefender

Product: BOX v1

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.46% (scored less or equal to compared to others)

EPSS Date: 2025-04-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-13872
https://bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1

Timeline

2025-03-12 12:40:18 UTC
CVE

Bitdefender Box Insecure Update Mechanism Vulnerability in libboxhermes.so