Cyber Resilience

CVE-2021-35522

Critical

Published: 22 July 2021

Published
22 July 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0410 88.8th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-35522 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Idemia Visionpass Md Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD devices before 4.9.7 allows remote attackers to achieve code execution, denial of services, and information…

more

disclosure via TCP/IP packets.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

idemia
morphowave compact mdpi firmware
≤ 2.6.2
idemia
morphowave compact mdpi-m firmware
≤ 2.6.2
idemia
visionpass mdpi firmware
≤ 2.6.2
idemia
visionpass mdpi-m firmware
≤ 2.6.2
idemia
visionpass md firmware
all versions
idemia
morphowave compact md firmware
all versions
idemia
sigma lite firmware
all versions
idemia
sigma lite\+ firmware
all versions
idemia
sigma wide firmware
all versions
idemia
sigma extreme firmware
all versions
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References