CVE-2024-10497

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10497 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved authorizations for access to resources, directly preventing authorization bypass via user-controlled keys in modified HTTPS requests.

AC-6 Least Privilege partial match

prevent

AC-6 applies least privilege to limit authorized users to only necessary accesses, mitigating the impact of privilege elevation from the bypass.

SI-10 Information Input Validation partial match

prevent

SI-10 requires validation of inputs from external sources like HTTPS requests, blocking processing of modified user-controlled keys that attempt authorization bypass.

NVD Description

CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HTTPS requests to the device.

Deeper analysisAI

CVE-2024-10497 is a CWE-639 Authorization Bypass Through User-Controlled Key vulnerability affecting a Schneider Electric device. The issue allows an authorized attacker to modify values outside those defined by their privileges, resulting in elevation of privileges, by sending modified HTTPS requests to the device. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-17.

An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By crafting and sending modified HTTPS requests, the attacker achieves privilege escalation, enabling unauthorized modifications that lead to high impacts on confidentiality, integrity, and availability.

Mitigation details are provided in the Schneider Electric Security and Safety Notice SEVD-2025-014-08, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-08&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-08.pdf.