Cyber Resilience

CVE-2023-24011

High

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
EPSS Score 0.0016 37.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24011 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-24011 is a vulnerability arising from a non-compliant implementation of permission document verification in some DDS vendors, specifically due to improper use of the OpenSSL PKCS7_verify function for validating S/MIME signatures. It affects secure DDS databus systems, enabling exploitation through vulnerable attributes in the configuration of PKCS#7 certificate validation. Components impacted include DDS Participants and ROS 2 Nodes that rely on these mechanisms.

The attack scenario involves an unauthenticated attacker over the network (AV:N/AC:L/PR:N) crafting malicious DDS Participants or ROS 2 Nodes equipped with valid certificates. Successful exploitation grants full control over the targeted secure DDS databus system, with a CVSS v3.1 score of 8.2 (C:H/I:N/A:L/S:U), primarily exposing sensitive information (CWE-200) while causing limited availability impact.

Advisories and related discussions are available at https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d and https://github.com/ros2/sros2/issues/282, which provide further details on the issue in the context of DDS and ROS 2 implementations.

EU & UK References

Vulnerability details

An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This…

more

is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated exploitation of a network-exposed DDS/ROS2 permission validation flaw (PKCS7/S/MIME) enabling full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2025-15103Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200
CVE-2026-23659Shared CWE-200

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates validation of public key certificates prior to use, directly addressing the improper PKCS7_verify implementation flaw in certificate and permission document verification.

prevent

Requires verification of component authenticity prior to or during connections, preventing maliciously crafted DDS Participants or ROS 2 Nodes from compromising the databus.

preventrecover

Ensures timely flaw remediation to patch the non-compliant OpenSSL PKCS7_verify usage exploited by attackers with valid certificates.

References