CVE-2024-24116
Published: 02 October 2024
Summary
CVE-2024-24116 is a critical-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Ruijie Rg-Nbs2009G-P Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-24116 is an unauthorized access vulnerability in the Ruijie RG-NBS2009G-P switch running RGOS version 10.4(1)P2 Release(9736). The flaw resides in the system/config_menu.htm endpoint and is assigned a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability. The associated CWEs note insufficient permission enforcement.
A remote attacker can send crafted requests directly to the affected endpoint to escalate privileges and obtain administrative control of the device. Successful exploitation grants the attacker the ability to read, modify, or disrupt switch configuration and traffic handling without prior authentication.
Public references consist of a technical disclosure and proof-of-concept repository demonstrating the access bypass; neither source provides vendor patch information or mitigation steps. The EPSS score stands at 0.8887 with no reported rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21540
Vulnerability details
An issue in Ruijie RG-NBS2009G-P RGOS v.10.4(1)P2 Release(9736) allows a remote attacker to gain privileges via the system/config_menu.htm.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a public-facing web management interface (config_menu.htm) on a network switch due to incorrect access control, facilitating privilege escalation to server/admin privileges and denial of service via system crash.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.