Cyber Resilience

CVE-2024-12136

MediumUpdated

Published: 19 March 2025

Published
19 March 2025
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 6.9 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0001 0.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12136 is a medium-severity Missing Critical Step in Authentication (CWE-304) vulnerability in Elfatek Anka Jpd00028 Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2024-12136 is a Missing Critical Step in Authentication vulnerability (CWE-304) in Elfatek Elektronics ANKA JPD-00028 that enables authentication bypass. The issue affects ANKA JPD-00028 versions prior to V.01.01 and was published on 2025-03-19.

Exploitation requires physical access (AV:P), high attack complexity (AC:H), and high privileges (PR:H), with no user interaction (UI:N). A successful attack achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) across a changed scope (S:C), resulting in an overall CVSS v3.1 base score of 6.9 (Medium).

Mitigation guidance is available in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0071.

EU & UK References

Vulnerability details

Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass. This issue affects ANKA JPD-00028: before V.01.01.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42452Shared CWE-304
CVE-2026-40542Shared CWE-304
CVE-2024-20153Shared CWE-304
CVE-2026-44547Shared CWE-304
CVE-2026-30831Shared CWE-304

Affected Assets

elfatek
anka jpd00028 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces all required authentication steps before granting access, blocking the missing-step bypass in the ANKA JPD-00028.

prevent

Mandates device identification and authentication, directly countering the CWE-304 flaw that permits bypass on the JPD-00028 controller.

prevent

Requires timely patching of the identified authentication flaw to version V.01.01 or later, eliminating the vulnerable code path.

References