Cyber Resilience

CVE-2024-13872

Critical

Published: 12 March 2025

Published
12 March 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0138 80.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13872 is a critical-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Bitdefender Box Firmware. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked in the top 19.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2024-13872 affects Bitdefender Box devices running versions 1.3.11.490 through 1.3.11.505. The vulnerability stems from the use of the insecure HTTP protocol to download assets over the Internet for updating and restarting daemons and detection rules. This issue, classified under CWE-319 (Cleartext Transmission of Sensitive Information), has a CVSS v3.1 base score of 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated, network-adjacent attacker can exploit this by performing a man-in-the-middle (MITM) attack after updates are remotely triggered via the /set_temp_token API method. The attacker intercepts HTTP traffic and returns malicious responses containing tainted assets. Daemons restarted with these malicious assets can then be further exploited to achieve remote code execution on the device.

Bitdefender has issued a security advisory on the insecure update mechanism vulnerability in libboxhermes.so within Bitdefender Box v1, available at https://bitdefender.com/support/security-advisories/insecure-update-mechanism-vulnerability-in-libboxhermes-so-in-bitdefender-box-v1, which provides details on mitigation.

EU & UK References

Vulnerability details

Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an…

more

unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

The vulnerability enables a man-in-the-middle attack on the insecure HTTP update mechanism to deliver malicious assets leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13871Same product: Bitdefender Box
CVE-2025-23060Shared CWE-319
CVE-2026-32309Shared CWE-319
CVE-2026-6066Shared CWE-319
CVE-2025-2861Shared CWE-319
CVE-2020-36917Shared CWE-319
CVE-2026-24212Shared CWE-319
CVE-2020-36914Shared CWE-319
CVE-2026-41275Shared CWE-319
CVE-2026-5115Shared CWE-319

Affected Assets

bitdefender
box firmware
1.3.11.490 — 1.3.11.505

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires confidentiality and integrity protections for transmissions, directly preventing MITM interception and modification of HTTP-downloaded update assets.

prevent

Mandates integrity verification of software and firmware, ensuring downloaded assets are validated before daemons restart with potentially malicious content.

prevent

Enforces use of digitally signed components for updates, providing authenticity and integrity checks against tampered assets from insecure HTTP downloads.

References