CVE-2024-46603

CVE-2024-46603 is an XML External Entity (XXE) vulnerability, classified under CWE-611, affecting Elspec Engineering G5 Digital Fault Recorder Firmware version 1.2.1.12. The flaw enables attackers to process malicious XML payloads, leading to a Denial of Service (DoS) condition. It has a CVSS v3.1 base score of 7.5, rated as High severity, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, no privileges or user interaction required, and high impact on availability without affecting confidentiality or integrity.

Remote attackers without authentication can exploit this vulnerability by sending a specially crafted XML payload to the affected firmware. Successful exploitation disrupts the device's functionality, rendering the G5 Digital Fault Recorder unavailable and potentially impacting power system monitoring and fault recording operations in critical infrastructure environments.

Elspec Engineering provides details on this issue via their security advisory at https://www.elspec-ltd.com/support/security-advisories/. Security practitioners should consult this resource for recommended mitigations, such as firmware updates or configuration changes to address the XXE processing flaw.