CVE-2024-12399

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

EPSS Score 0.0020 41.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12399 is a high-severity Improper Enforcement of Message Integrity During Transmission in a Communication Channel (CWE-924) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

Directly mandates protection of transmission integrity and confidentiality, preventing man-in-the-middle interception and alteration of HMI communications.

SC-23 Session Authenticity good match

prevent

Establishes and maintains session authenticity to specifically counter man-in-the-middle attacks exploiting improper message integrity enforcement.

SC-13 Cryptographic Protection good match

prevent

Implements cryptographic protections that enforce message integrity during transmission in communication channels vulnerable to MitM attacks.

NVD Description

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs man in the middle attack by intercepting the…

communication.

Deeper analysisAI

CVE-2024-12399 is a CWE-924 vulnerability involving improper enforcement of message integrity during transmission in a communication channel. It affects the Human-Machine Interface (HMI), potentially leading to partial loss of confidentiality, loss of integrity, and availability when communications are intercepted. The vulnerability was published on 2025-01-17 with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).

An attacker with network access can exploit this vulnerability by performing a man-in-the-middle attack to intercept HMI communications. Exploitation requires high attack complexity and user interaction, but no privileges. Successful attacks can achieve partial loss of confidentiality, high impact on integrity, and high impact on availability of the HMI.

Schneider Electric has published Security and Safety Notice SEVD-2025-014-02, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-02.pdf, which provides details on mitigations for this vulnerability.

Details

CWE(s): CWE-924

Affected Products

Schneider Electric

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-0592Shared CWE-924

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-02.pdf
cybersecurity@se.com