CVE-2024-12136
Published: 19 March 2025
Summary
CVE-2024-12136 is a medium-severity Missing Critical Step in Authentication (CWE-304) vulnerability in Elfatek Anka Jpd00028 Firmware. Its CVSS base score is 6.9 (Medium).
Operationally, ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Deeper analysis
CVE-2024-12136 is a Missing Critical Step in Authentication vulnerability (CWE-304) in Elfatek Elektronics ANKA JPD-00028 that enables authentication bypass. The issue affects ANKA JPD-00028 versions prior to V.01.01 and was published on 2025-03-19.
Exploitation requires physical access (AV:P), high attack complexity (AC:H), and high privileges (PR:H), with no user interaction (UI:N). A successful attack achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) across a changed scope (S:C), resulting in an overall CVSS v3.1 base score of 6.9 (Medium).
Mitigation guidance is available in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0071.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54105
Vulnerability details
Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass. This issue affects ANKA JPD-00028: before V.01.01.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces all required authentication steps before granting access, blocking the missing-step bypass in the ANKA JPD-00028.
Mandates device identification and authentication, directly countering the CWE-304 flaw that permits bypass on the JPD-00028 controller.
Requires timely patching of the identified authentication flaw to version V.01.01 or later, eliminating the vulnerable code path.