CVE-2024-56316

High

Published: 27 January 2025

Published

27 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0108 77.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In AXESS ACS (Auto Configuration Server) through 5.2.0, unsanitized user input in the TR069 API allows remote unauthenticated attackers to cause a permanent Denial of Service via crafted TR069 requests on TCP port 9675 or 7547. Rebooting does not resolve the permanent Denial of Service.

Security Summary

CVE-2024-56316 is a denial-of-service vulnerability in AXESS ACS (Auto Configuration Server) versions through 5.2.0, caused by unsanitized user input in the TR069 API. Remote attackers can send crafted TR069 requests to TCP ports 9675 or 7547, triggering a permanent DoS condition. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).

Remote unauthenticated attackers with network access to the targeted ports can exploit this vulnerability. Successful exploitation leads to a permanent DoS state in the ACS, where the service becomes unavailable and cannot be restored by rebooting the system.

The advisory from y-sec provides further details on the vulnerability at https://www.y-security.de/news-en/axess-auto-configuration-server-denial-of-service-cve-2024-56316/. No patches or specific mitigations beyond general exposure reduction are detailed in available information, and rebooting does not resolve the condition.

Details

CWE(s): CWE-770

References

https://www.y-security.de/news-en/axess-auto-configuration-server-denial-of-service-cve-2024-56316/
cve@mitre.org