Cyber Resilience

CVE-2024-10497

High

Published: 17 January 2025

Published
17 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 17.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10497 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-10497 is a CWE-639 Authorization Bypass Through User-Controlled Key vulnerability affecting a Schneider Electric device. The issue allows an authorized attacker to modify values outside those defined by their privileges, resulting in elevation of privileges, by sending modified HTTPS requests to the device. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-17.

An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By crafting and sending modified HTTPS requests, the attacker achieves privilege escalation, enabling unauthorized modifications that lead to high impacts on confidentiality, integrity, and availability.

Mitigation details are provided in the Schneider Electric Security and Safety Notice SEVD-2025-014-08, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-08&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-08.pdf.

EU & UK References

Vulnerability details

CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HTTPS requests to the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass via crafted HTTPS requests on network-accessible device directly enables remote exploitation of public-facing app (T1190) for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2414Shared CWE-639
CVE-2026-25147Shared CWE-639
CVE-2020-37094Shared CWE-639
CVE-2024-34520Shared CWE-639
CVE-2025-14996Shared CWE-639
CVE-2025-69274Shared CWE-639
CVE-2026-25497Shared CWE-639
CVE-2025-15018Shared CWE-639
CVE-2026-1619Shared CWE-639
CVE-2025-7347Shared CWE-639

Affected Assets

Schneider Electric
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to resources, directly preventing authorization bypass via user-controlled keys in modified HTTPS requests.

prevent

AC-6 applies least privilege to limit authorized users to only necessary accesses, mitigating the impact of privilege elevation from the bypass.

prevent

SI-10 requires validation of inputs from external sources like HTTPS requests, blocking processing of modified user-controlled keys that attempt authorization bypass.

References