CVE-2024-14033
Published: 02 April 2026
Summary
CVE-2024-14033 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Belden (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2024-14033 is a heap overflow vulnerability (CWE-400) in the HiLCOS web interface of Hirschmann Industrial IT products, including BAT-R, BAT-F, BAT450-F, BAT867-R, BAT867-F, WLC, and BAT Controller Virtual. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for availability impact. The flaw allows unauthenticated remote attackers to trigger a denial-of-service condition by sending specially crafted requests to the web interface, with increased risk in configurations where Public Spot functionality is enabled.
Unauthenticated attackers with network access to the affected devices can exploit this vulnerability remotely and with low complexity, requiring no privileges or user interaction. Successful exploitation crashes the device, disrupting services and potentially impacting industrial operations reliant on these access points and controllers.
The Belden Security Bulletin BSECV-2024-16 and VulnCheck advisory provide detailed guidance on the vulnerability, including recommended patches and mitigation steps for affected Hirschmann products. Security practitioners should consult these references for version-specific remediation instructions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55531
Vulnerability details
Hirschmann EagleSDV firmware prior to 05.4.02 contains a denial-of-service vulnerability in TLS session establishment. Attackers can crash the device during TLS handshake by exploiting protocol downgrades to TLS 1.0 or TLS 1.1, interrupting service availability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of public web interface leading to application/system crash for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires mechanisms to protect against or limit the effects of denial-of-service attacks targeting availability during TLS session establishment.
Enforces cryptographic protections for transmission integrity and confidentiality, preventing exploitation of weak TLS 1.0/1.1 downgrades that lead to the crash.
Mandates use of approved cryptographic modules and algorithms, directly addressing the protocol downgrade vector in TLS handshakes.