CVE-2024-24582

High

Published: 12 February 2025

Published

12 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 3.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper input validation in XmlCli feature for UEFI firmware for some Intel(R) processors may allow privileged user to potentially enable escalation of privilege via local access.

Security Summary

CVE-2024-24582 is an improper input validation vulnerability, classified under CWE-20, affecting the XmlCli feature in UEFI firmware for some Intel(R) processors. Published on 2025-02-12, it carries a CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high impact across confidentiality, integrity, and availability with a changed scope.

The vulnerability can be exploited by a privileged user (PR:H) with local access (AV:L), though it requires high attack complexity (AC:H) and occurs without user interaction (UI:N). Successful exploitation may enable escalation of privilege, potentially allowing the attacker to gain higher levels of access within the affected system.

Intel's security advisory (INTEL-SA-01139) and a Debian LTS announcement provide details on the issue. Security practitioners should review these references for recommended mitigations and available patches.

Details

CWE(s): CWE-20

References

https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
secure@intel.com
https://lists.debian.org/debian-lts-announce/2025/03/msg00021.html
af854a3a-2127-422b-91ae-364da2661108