Cyber Resilience

CVE-2024-33699

CriticalPublic PoC

Published: 30 October 2024

Published
30 October 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0719 91.8th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33699 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Level1 Wbr-6012 Firmware. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The LevelOne WBR-6012 router is affected by CVE-2024-33699 in firmware version R0.40e6. The vulnerability resides in the device's web application and stems from an unverified password change flaw (CWE-620) that permits modification of the administrator password without knowledge of the existing credential. It carries a CVSS 3.1 base score of 9.9, reflecting network attack vector, low complexity, low required privileges, and changed scope with high impact on confidentiality, integrity, and availability.

An attacker who already possesses low-privileged access to the web interface can exploit the flaw to escalate to full administrative control. Successful exploitation grants the ability to alter device configuration, intercept or modify traffic, and perform other actions that affect the router and any connected systems.

No mitigation details or patch information are supplied in the available references, which point only to Talos Intelligence vulnerability reports. The associated EPSS score remains flat at 0.0719 with no observed rise after disclosure.

EU & UK References

Vulnerability details

The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the current password.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

level1
wbr-6012 firmware
r0.40e6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References