CVE-2024-48849

Critical

Published: 29 January 2025

Published

29 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0015 35.6th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through <= 9.3.4.

Security Summary

CVE-2024-48849 is a Missing Origin Validation in WebSockets vulnerability in FLXEON, where session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON versions through <= 9.3.4 and is associated with CWE-1385. The vulnerability received a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating critical severity due to its network accessibility and impacts.

Unauthenticated remote attackers with network access can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows attackers to achieve low impact on confidentiality while attaining high impact on integrity and availability, potentially enabling unauthorized actions over WebSockets or HTTPS sessions.

Mitigation details are available in the vendor advisory at https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch.

Details

CWE(s): CWE-1385

References

https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch
cybersecurity@ch.abb.com