CVE-2024-12399

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

EPSS Score 0.0020 41.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs man in the middle attack by intercepting the communication.

Security Summary

CVE-2024-12399 is a CWE-924 vulnerability involving improper enforcement of message integrity during transmission in a communication channel. It affects the Human-Machine Interface (HMI), potentially leading to partial loss of confidentiality, loss of integrity, and availability when communications are intercepted. The vulnerability was published on 2025-01-17 with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).

An attacker with network access can exploit this vulnerability by performing a man-in-the-middle attack to intercept HMI communications. Exploitation requires high attack complexity and user interaction, but no privileges. Successful attacks can achieve partial loss of confidentiality, high impact on integrity, and high impact on availability of the HMI.

Schneider Electric has published Security and Safety Notice SEVD-2025-014-02, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-02.pdf, which provides details on mitigations for this vulnerability.

Details

CWE(s): CWE-924

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-02.pdf
cybersecurity@se.com