Cyber Resilience

CVE-2024-12551

High

Published: 11 February 2025

Published
11 February 2025
Modified
18 February 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12551 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Tungstenautomation Power Pdf. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-12551 is an out-of-bounds read vulnerability in the JP2 file parsing component of Tungsten Automation Power PDF. The flaw stems from a lack of proper validation of user-supplied data, resulting in a read access past the end of an allocated object. This issue enables remote code execution on affected installations and was originally tracked as ZDI-CAN-25567.

Remote attackers can exploit the vulnerability by tricking a target user into visiting a malicious web page or opening a malicious JP2 file, as user interaction is required. No privileges are needed (PR:N), and exploitation has low complexity (AC:L). Successful attacks allow arbitrary code execution in the context of the Power PDF process, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability is categorized under CWE-125.

The Zero Day Initiative published advisory ZDI-24-1677, which provides further details on the vulnerability, available at https://www.zerodayinitiative.com/advisories/ZDI-24-1677/.

EU & UK References

Vulnerability details

Tungsten Automation Power PDF JP2 File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tungsten Automation Power PDF. User interaction is required to exploit this vulnerability in that…

more

the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25567.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Out-of-bounds read in JP2 parsing enables RCE when user opens malicious file or visits malicious page (drive-by).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12550Same product: Tungstenautomation Power Pdf
CVE-2024-12549Same product: Tungstenautomation Power Pdf
CVE-2024-12547Same product: Tungstenautomation Power Pdf
CVE-2025-0909Shared CWE-125
CVE-2025-0902Shared CWE-125
CVE-2025-0908Shared CWE-125
CVE-2025-0901Shared CWE-125
CVE-2026-0956Shared CWE-125
CVE-2026-21324Shared CWE-125
CVE-2026-9908Shared CWE-125

Affected Assets

tungstenautomation
power pdf
≤ 5.1.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of the specific out-of-bounds read flaw in JP2 parsing via timely patching.

prevent

Mandates validation of user-supplied data in JP2 files to prevent reads past allocated object boundaries.

prevent

Implements memory safeguards like DEP and ASLR to mitigate exploitation of the out-of-bounds read to arbitrary code execution.

References