CVE-2024-55407

CVE-2024-55407 is a vulnerability in the DeviceIoControl function of ITE Tech. Inc.'s ITE IO Access v1.0.0.0. The issue allows attackers to perform arbitrary port read and write actions by supplying crafted IOCTL requests. It is classified under CWE-1284: Improper Validation of Specified Index, Quantity, or Range and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-01-06.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation involves sending crafted IOCTL requests to the affected component, enabling arbitrary read and write access to hardware ports. This can result in high impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification of system behavior, or disruption of services.

Advisories and additional details are available from the vendor at http://ite.com and a GitHub repository documenting the vulnerable driver at https://github.com/heyheysky/vulnerable-driver/blob/master/CVE-2024-55407/CVE-2024-55407_Winio64.sys_README.md.