Cyber Resilience

CVE-2024-33896

HighPublic PoCRCE

Published: 02 August 2024

Published
02 August 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1714 95.2th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33896 is a high-severity OS Command Injection (CWE-78) vulnerability in Hms-Networks Ewon Cosy\+ Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Cosy+ industrial remote access gateways running firmware versions 21.x prior to 21.2s10 or 22.x prior to 22.1s3 contain a code injection vulnerability (CWE-78) stemming from improper parameter blacklisting. The flaw affects the device's web interface or configuration handling and carries a CVSS 3.1 score of 7.2 with network attack vector and high privileges required.

An authenticated attacker with administrative access can supply crafted parameters that result in arbitrary command execution on the underlying system, yielding full control over confidentiality, integrity, and availability of the device. Exploitation is possible remotely without user interaction once high-privilege credentials are obtained.

Vendor advisories from HMS Networks and Ewon recommend immediate upgrade to firmware 21.2s10 or 22.1s3, which correct the blacklisting logic. Public disclosure materials, including a detailed technical analysis and the official HMS security advisory, outline the affected product lines and patch availability.

The associated EPSS score has remained in the 0.17–0.19 range with no pronounced post-disclosure increase.

EU & UK References

Vulnerability details

Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. This is fixed in version 21.2s10 and 22.1s3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hms-networks
ewon cosy\+ firmware
21.0 — 21.2s10 · 22.0 — 22.1s3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References