CVE-2024-14034
Published: 02 April 2026
Summary
CVE-2024-14034 is a critical-severity Improper Authentication (CWE-287) vulnerability in Belden (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2024-14034 is an authentication bypass vulnerability (CWE-287) affecting Hirschmann HiEOS devices in versions prior to 01.1.00. The flaw resides in the HTTP(S) management module, where improper authentication handling enables unauthenticated remote attackers to gain administrative access by sending specially crafted HTTP(S) requests. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility without prerequisites.
Unauthenticated attackers with network access to the device can exploit this vulnerability remotely over HTTP(S). Successful exploitation grants elevated administrative privileges, allowing unauthorized actions such as downloading or uploading configurations and modifying firmware, potentially leading to full device compromise, data exfiltration, or persistent control.
The Belden Security Bulletin BSECV-2024-02 and Vulncheck advisory detail mitigation steps, with affected versions prior to 01.1.00 indicating that upgrading to version 01.1.00 or later resolves the issue. Security practitioners should consult these references for full patch instructions and additional hardening guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55533
Vulnerability details
Hirschmann HiEOS devices versions prior to 01.1.00 contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by sending specially crafted HTTP(S) requests. Attackers can exploit improper authentication handling to obtain…
more
elevated privileges and perform unauthorized actions including configuration download or upload and firmware modification.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in exposed HTTP(S) management interface directly enables remote exploitation of a public-facing application to obtain administrative access without credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the authentication bypass vulnerability by identifying, testing, and installing the vendor firmware update to version 01.1.00 or later.
Enforces approved authorizations for logical access in the HTTP(S) management module, preventing unauthenticated attackers from gaining administrative privileges.
Requires unique identification and authentication for organizational users, addressing the improper authentication handling that enables privilege escalation.