Cyber Resilience

CVE-2024-28134

High

Published: 14 May 2024

Published
14 May 2024
Modified
23 January 2025
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0032 55.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28134 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Phoenixcontact Charx Sec-3000 Firmware. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based management access with the privileges of the currently logged in user due to cleartext transmission of sensitive information. No additional user interaction is required.…

more

The access is limited as only non-sensitive information can be obtained but the availability can be seriously affected.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phoenixcontact
charx sec-3000 firmware
≤ 1.5.1
phoenixcontact
charx sec-3050 firmware
≤ 1.5.1
phoenixcontact
charx sec-3100 firmware
≤ 1.5.1
phoenixcontact
charx sec-3150 firmware
≤ 1.5.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-319

Role-based training covers secure transmission methods, mitigating cleartext transmission of sensitive data.

addresses: CWE-319

By requiring documented security controls for information exchanges, the control reduces the risk of cleartext transmission of sensitive data.

addresses: CWE-319

Mapping transmission actions in data flows helps prevent cleartext transmission of sensitive information.

addresses: CWE-319

Settings can enforce secure transmission protocols to prevent cleartext transmission of sensitive data.

addresses: CWE-319

Policy addresses secure transport and handling of media to avoid cleartext transmission of sensitive information.

addresses: CWE-319

Enforces safeguards against cleartext transmission of CUI when data leaves organizational boundaries to external systems.

addresses: CWE-319

Explicit controls and continuous oversight on external system services prevent cleartext transmission of sensitive information over provider-managed channels.

addresses: CWE-319

Key-establishment procedures specify secure distribution channels that preclude cleartext transmission of key material.

References