Cyber Resilience

CVE-2023-30024

MediumPublic PoC

Published: 28 April 2023

Published
28 April 2023
Modified
31 January 2025
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-30024 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Magicjack A921 Firmware. Its CVSS base score is 6.6 (Medium).

Operationally, ranked at the 49.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access. Attackers can exploit this by replacing the original software with a malicious version, leading to ransomware deployment on the…

more

host computer. Affected devices have firmware versions prior to magicJack A921 USB Phone Jack Rev 3.0 V1.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

magicjack
a921 firmware
1.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-269 CWE-863

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269 CWE-863

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-269 CWE-863

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

addresses: CWE-863 CWE-269

The small, testable reference monitor reduces the likelihood of incorrect authorization implementations.

addresses: CWE-863 CWE-269

Certification evaluates whether authorization decisions are correctly implemented and enforced.

addresses: CWE-863 CWE-269

Periodic review and documentation of connection needs reduces incorrect authorization.

addresses: CWE-269 CWE-863

Restricting who can perform changes helps ensure privileges are managed properly rather than assigned broadly.

addresses: CWE-269 CWE-863

Manages privileges by authorizing only approved personnel and supervising those lacking required authorizations for maintenance.

References