Cyber Resilience

CVE-2024-10387

High

Published: 25 October 2024

Published
25 October 2024
Modified
05 November 2024
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0623 91.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10387 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Rockwellautomation Thinmanager. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-10387 is a denial-of-service vulnerability affecting an unspecified product, classified under CWE-125 as an out-of-bounds read condition. The flaw permits remote manipulation of device behavior through network messages and carries a CVSS 4.0 score of 8.7 driven by network attack vector, low complexity, and high availability impact without any authentication or user interaction requirements.

An unauthenticated attacker with network access can send crafted messages to the device, resulting in a denial-of-service state that disrupts availability while leaving confidentiality and integrity unaffected.

The referenced Rockwell Automation security advisory SD1708 provides official guidance on mitigation for the affected installations. The associated EPSS score has remained flat at 0.0623 with no material increase since disclosure.

EU & UK References

Vulnerability details

CVE-2024-10387 IMPACT A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rockwellautomation
thinmanager
14.0.0 · 11.2.0 — 11.2.10 · 12.0.0 — 12.0.8 · 12.1.0 — 12.1.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References