CVE-2024-47258
Published: 06 February 2025
Description
2N Access Commander version 2.1 and prior is vulnerable in default settings to Man In The Middle attack due to not verifying certificates of 2N edge devices. 2N has currently released an updated version 3.3 of 2N Access Commander, with added Certificate Fingerprint Verification. Since version 2.2 of 2N Access Commander (released in February 2022) it is also possible to enforce TLS certificate validation.It is recommended that all customers update 2N Access Commander to the latest version and use one of two mentioned practices.
Security Summary
CVE-2024-47258 affects 2N Access Commander versions 2.1 and prior, where default settings fail to verify TLS certificates of connected 2N edge devices, enabling man-in-the-middle (MITM) attacks. This vulnerability, classified under CWE-295 (Improper Certificate Validation), carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to elevated confidentiality and integrity impacts.
An attacker with adjacent network access, such as on the same local network segment, can exploit this without privileges or user interaction by positioning themselves between the Access Commander server and 2N edge devices. Successful exploitation allows interception and modification of sensitive communications, potentially compromising credentials, configuration data, or access control decisions relayed between the management software and physical access control hardware.
The vendor advises updating to 2N Access Commander version 3.3, which introduces Certificate Fingerprint Verification. Since version 2.2 (released February 2022), TLS certificate validation can also be manually enforced. Customers should upgrade to the latest version and implement one of these practices for mitigation, as detailed in the vendor advisory at https://www.2n.com/en-GB/download/cve_2024_47258_acom_3_3_v1pdf.
Details
- CWE(s)