CVE-2024-12136
Published: 19 March 2025
Summary
CVE-2024-12136 is a medium-severity Missing Critical Step in Authentication (CWE-304) vulnerability in Elfatek Anka Jpd00028 Firmware. Its CVSS base score is 6.9 (Medium).
Operationally, ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and PE-3 (Physical Access Control).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely flaw remediation through application of the vendor patch to V.01.01 or later.
Requires implementation of proper identification and authentication mechanisms, directly addressing the missing critical step (CWE-304) that enables bypass.
Prevents exploitation by restricting physical access to the device, which is required (AV:P) for the high-complexity attack.
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass.This issue affects ANKA JPD-00028: before V.01.01.
Deeper analysisAI
CVE-2024-12136 is a Missing Critical Step in Authentication vulnerability (CWE-304) in Elfatek Elektronics ANKA JPD-00028 that enables authentication bypass. The issue affects ANKA JPD-00028 versions prior to V.01.01 and was published on 2025-03-19.
Exploitation requires physical access (AV:P), high attack complexity (AC:H), and high privileges (PR:H), with no user interaction (UI:N). A successful attack achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) across a changed scope (S:C), resulting in an overall CVSS v3.1 base score of 6.9 (Medium).
Mitigation guidance is available in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0071.
Details
- CWE(s)