CVE-2024-23943

Critical

Published: 18 March 2025

Published

18 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0043 62.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-23943 is a high-severity vulnerability stemming from a lack of authentication for a critical function in affected devices, classified under CWE-306 (Missing Authentication for Critical Function). This flaw enables unauthenticated remote attackers to gain access to the cloud API. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high impacts on confidentiality and integrity but no effect on availability. It was published on 2025-03-18.

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Successful exploitation provides unauthorized access to the cloud API, allowing potential compromise of sensitive data and manipulation of API functions.

Mitigation details are outlined in the VDE CERT advisory available at https://cert.vde.com/en/advisories/VDE-2024-010.

Details

CWE(s): CWE-306

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a missing authentication flaw (CWE-306) in a cloud API exposed to remote attackers, directly enabling initial access by exploiting a public-facing application without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://cert.vde.com/en/advisories/VDE-2024-010
info@cert.vde.com