CVE-2024-10497

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HTTPS requests to the device.

Security Summary

CVE-2024-10497 is a CWE-639 Authorization Bypass Through User-Controlled Key vulnerability affecting a Schneider Electric device. The issue allows an authorized attacker to modify values outside those defined by their privileges, resulting in elevation of privileges, by sending modified HTTPS requests to the device. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-17.

An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By crafting and sending modified HTTPS requests, the attacker achieves privilege escalation, enabling unauthorized modifications that lead to high impacts on confidentiality, integrity, and availability.

Mitigation details are provided in the Schneider Electric Security and Safety Notice SEVD-2025-014-08, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-08&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-08.pdf.

Details

CWE(s): CWE-639

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-08&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-08.pdf
cybersecurity@se.com