CVE-2024-46933

CVE-2024-46933 is a vulnerability in the Atos Eviden BullSequana XH2140 Baseboard Management Controller (BMC) prior to version C4EM-125: OMF_C4E 101.05.0014. The issue stems from some BullSequana XH products being shipped without proper hardware programming, specifically leaving the AST2600 component unconfigured. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H) and was published on 2025-02-20.

Exploitation requires network access (AV:N) but demands high attack complexity (AC:H) and privileged user rights (PR:H), with no user interaction needed (UI:N). Successful attacks can alter system integrity (I:H) and cause denial-of-service (A:H), with a changed scope (S:C) due to the BMC's privileged position. The vulnerability enables potential denial-of-service specifically when privileged access is obtained.

For mitigation details, refer to the vendor advisories, including the Bull PSIRT security bulletin (PSIRT-270, version 2.7, TLP:CLEAR) at https://support.bull.com/ols/product/security/psirt/security-bulletins/ast2600-left-unconfigured-in-bullsequana-xh2140-psirt-270-tlp-clear-version-2-7-cve-2024-46933/view and the Eviden security page at https://eviden.com.