CVE-2024-11425
Published: 17 January 2025
Summary
CVE-2024-11425 is a high-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-11425 is a CWE-131: Incorrect Calculation of Buffer Size vulnerability that affects the webserver component of a Schneider Electric product. Published on January 17, 2025, the flaw stems from improper buffer size calculations, which could lead to a denial-of-service condition when triggered.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a crafted HTTPS packet to the webserver, the attacker can cause a denial-of-service, disrupting product availability. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects high severity primarily due to the impact on availability with no confidentiality or integrity effects.
Mitigation details are provided in Schneider Electric Security and Safety Notice SEVD-2025-014-01, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-01.pdf.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34384
Vulnerability details
CWE-131: Incorrect Calculation of Buffer Size vulnerability exists that could cause Denial-of-Service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted packet to public-facing webserver directly matches exploitation of public-facing apps (T1190) resulting in application/system crash for DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the buffer size calculation flaw in the webserver by applying vendor patches or updates as specified in the Schneider Electric security notice.
Validates the size and structure of incoming HTTPS packets to prevent the incorrect buffer size calculation triggered by crafted inputs.
Implements protections against denial-of-service attacks by limiting the effects of crafted HTTPS packets targeting the webserver.