Cyber Resilience

CVE-2024-27172

CriticalRCE

Published: 14 June 2024

Published
14 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3058 96.8th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27172 is a critical-severity OS Command Injection (CWE-78) vulnerability in Toshibatec (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability tracked as CVE-2024-27172 is an OS command injection flaw (CWE-78) in the Remote Command program that permits unauthenticated remote code execution. It affects specific Toshiba Tec products and models whose details are listed in the vendor advisory; the issue carries a CVSS 3.1 base score of 9.8 reflecting network attackability, low complexity, and full confidentiality, integrity, and availability impact.

An attacker with no credentials or user interaction can send crafted input over the network to the exposed Remote Command interface, causing arbitrary operating-system commands to execute on the target device and thereby gaining full control of the affected system.

Vendor and coordinator advisories at the referenced URLs direct administrators to apply the firmware or configuration updates published by Toshiba Tec in May 2024; the JVN coordination page and Full Disclosure list entries reiterate the same remediation steps and list the precise models covered.

The EPSS score for this CVE currently stands at 0.3058.

EU & UK References

Vulnerability details

Remote Command program allows an attacker to get Remote Code Execution. As for the affected products/models/versions, see the reference URL.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Toshibatec
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References