Cyber Resilience

CVE-2023-24012

High

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
EPSS Score 0.0016 37.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24012 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-24012 is a vulnerability in the validation of PKCS#7 certificates within secure DDS databus systems. It affects DDS Participants or ROS 2 Nodes in implementations by some DDS vendors that employ a non-compliant permission document verification process. The issue stems from an improper use of the OpenSSL PKCS7_verify function when validating S/MIME signatures, allowing exploitation of vulnerable attributes in certificate configurations. The vulnerability carries a CVSS score of 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L) and maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It was published on 2025-01-09T15:15:11.810.

A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. By arbitrarily crafting malicious DDS Participants or ROS 2 Nodes equipped with valid certificates, the attacker can compromise the targeted secure DDS databus system and gain full control over it. This results in high-impact confidentiality loss, such as exposure of sensitive data, alongside low-impact availability disruption.

Advisories and discussions are documented in references including a GitHub issue at https://github.com/ros2/sros2/issues/282 and technical gists at https://gist.github.com/vmayoral/235c02d0b0ef85a29812eff6980ff80d.

EU & UK References

Vulnerability details

An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This…

more

is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Vulnerability enables remote network exploitation of DDS/ROS2 services via flawed PKCS#7 certificate validation, directly mapping to public-facing app and remote service exploitation techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2025-15103Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200
CVE-2025-54304Shared CWE-200

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires selection and correct implementation of cryptographic mechanisms, directly mitigating the non-compliant use of OpenSSL's PKCS7_verify function for S/MIME signature validation.

prevent

Mandates timely identification, reporting, and remediation of the specific flaw in permission document verification, patching the vulnerable DDS implementation.

prevent

Establishes and maintains PKI certificate validation processes to protect against maliciously crafted certificates exploited in DDS Participant authentication.

References