CVE-2024-33896
Published: 02 August 2024
Summary
CVE-2024-33896 is a high-severity OS Command Injection (CWE-78) vulnerability in Hms-Networks Ewon Cosy\+ Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Cosy+ industrial remote access gateways running firmware versions 21.x prior to 21.2s10 or 22.x prior to 22.1s3 contain a code injection vulnerability (CWE-78) stemming from improper parameter blacklisting. The flaw affects the device's web interface or configuration handling and carries a CVSS 3.1 score of 7.2 with network attack vector and high privileges required.
An authenticated attacker with administrative access can supply crafted parameters that result in arbitrary command execution on the underlying system, yielding full control over confidentiality, integrity, and availability of the device. Exploitation is possible remotely without user interaction once high-privilege credentials are obtained.
Vendor advisories from HMS Networks and Ewon recommend immediate upgrade to firmware 21.2s10 or 22.1s3, which correct the blacklisting logic. Public disclosure materials, including a detailed technical analysis and the official HMS security advisory, outline the affected product lines and patch availability.
The associated EPSS score has remained in the 0.17–0.19 range with no pronounced post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31600
Vulnerability details
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. This is fixed in version 21.2s10 and 22.1s3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.