CVE-2020-29032
Published: 05 March 2021
Summary
CVE-2020-29032 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Secomea Gatemanager 8250 Firmware. Its CVSS base score is 8.4 (High).
Operationally, ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-21414
Vulnerability details
Upload of Code Without Integrity Check vulnerability in firmware archive of Secomea GateManager allows authenticated attacker to execute malicious code on server. This issue affects: Secomea GateManager all versions prior to 9.4.621054022
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.
Policies can require integrity verification of software prior to installation, reducing risks from unverified downloads.
Blocks installation of components lacking a valid signature, mitigating download or installation of code without integrity checks.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Acquisition and maintenance portions of the strategy drive requirements for integrity verification of downloaded or supplied code.
Mandating integrity control and approved-only changes during development prevents incorporation of code or components lacking integrity validation.
Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery.
Reduces exposure to code obtained without integrity verification by requiring assurance processes that confirm authenticity and absence of tampering.