CVE-2024-46602

High

Published: 07 January 2025

Published

07 January 2025

Modified

16 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 20.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload.

Security Summary

CVE-2024-46602 is an XML External Entity (XXE) vulnerability affecting the Elspec G5 digital fault recorder in version 1.2.1.12 and earlier. The flaw, classified under CWE-611, enables an attacker to process a crafted XML payload that triggers a Denial of Service (DoS) condition. It received a CVSS v3.1 base score of 7.5, reflecting high severity due to its network accessibility and availability impact.

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected device, requiring low complexity and no user interaction. Successful exploitation disrupts device availability by causing a DoS, with no reported impacts on confidentiality or integrity.

For mitigation details, refer to the vendor's security advisory at https://www.elspec-ltd.com/support/security-advisories. The CVE was published on 2025-01-07.

Details

CWE(s): CWE-611

Affected Products

elspec-ltd

g5dfr firmware

≤ 1.2.2.19

References

https://www.elspec-ltd.com/support/security-advisories.
Vendor Advisory · cve@mitre.org