CVE-2024-13872

High

Published: 12 March 2025

Published

12 March 2025

Modified

30 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0138 80.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13872 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Bitdefender Box Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-8 (Transmission Confidentiality and Integrity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

Requires confidentiality and integrity protections for transmissions, directly preventing MITM interception and modification of HTTP-downloaded update assets.

SI-7 Software, Firmware, and Information Integrity good match

prevent

Mandates integrity verification of software and firmware, ensuring downloaded assets are validated before daemons restart with potentially malicious content.

CM-14 Signed Components good match

prevent

Enforces use of digitally signed components for updates, providing authenticity and integrity checks against tampered assets from insecure HTTP downloads.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

The vulnerability enables a man-in-the-middle attack on the insecure HTTP update mechanism to deliver malicious assets leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an…

unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device.

Deeper analysisAI

CVE-2024-13872 affects Bitdefender Box devices running versions 1.3.11.490 through 1.3.11.505. The vulnerability stems from the use of the insecure HTTP protocol to download assets over the Internet for updating and restarting daemons and detection rules. This issue, classified under CWE-319 (Cleartext Transmission of Sensitive Information), has a CVSS v3.1 base score of 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated, network-adjacent attacker can exploit this by performing a man-in-the-middle (MITM) attack after updates are remotely triggered via the /set_temp_token API method. The attacker intercepts HTTP traffic and returns malicious responses containing tainted assets. Daemons restarted with these malicious assets can then be further exploited to achieve remote code execution on the device.

Bitdefender has issued a security advisory on the insecure update mechanism vulnerability in libboxhermes.so within Bitdefender Box v1, available at https://bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1, which provides details on mitigation.