CVE-2024-10497
Published: 17 January 2025
Summary
CVE-2024-10497 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-10497 is a CWE-639 Authorization Bypass Through User-Controlled Key vulnerability affecting a Schneider Electric device. The issue allows an authorized attacker to modify values outside those defined by their privileges, resulting in elevation of privileges, by sending modified HTTPS requests to the device. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-17.
An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By crafting and sending modified HTTPS requests, the attacker achieves privilege escalation, enabling unauthorized modifications that lead to high impacts on confidentiality, integrity, and availability.
Mitigation details are provided in the Schneider Electric Security and Safety Notice SEVD-2025-014-08, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-08&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-08.pdf.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33140
Vulnerability details
CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HTTPS requests to the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass via crafted HTTPS requests on network-accessible device directly enables remote exploitation of public-facing app (T1190) for privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to resources, directly preventing authorization bypass via user-controlled keys in modified HTTPS requests.
AC-6 applies least privilege to limit authorized users to only necessary accesses, mitigating the impact of privilege elevation from the bypass.
SI-10 requires validation of inputs from external sources like HTTPS requests, blocking processing of modified user-controlled keys that attempt authorization bypass.