Cyber Resilience

CVE-2024-34329

High

Published: 22 July 2024

Published
22 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0798 92.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34329 is a high-severity Insecure Inherited Permissions (CWE-277) vulnerability in Entrust Datacard XPS (inferred from references). Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-34329 is an insecure permissions vulnerability in the Entrust Datacard XPS Card Printer Driver version 8.5 and earlier when the dxp1-patch-E24-004 update has not been applied. The flaw, assigned CWE-277, permits local placement of a crafted DLL that results in arbitrary code execution with SYSTEM privileges. It carries a CVSS 3.1 score of 8.4 reflecting local attack vector, low complexity, no required privileges or user interaction, and full confidentiality, integrity, and availability impact.

An unauthenticated local attacker can exploit the weakness by supplying a malicious DLL payload in a location writable by unprivileged users; successful loading by the driver then yields code execution under the SYSTEM account, enabling full control over the affected system.

Entrust security bulletin E24-004 and associated driver downloads direct customers to apply the dxp1-patch-E24-004 update, after which the insecure permissions are corrected. The vendor also provides updated driver packages through its support portal for Instant ID card issuance systems.

EPSS for the CVE reached a peak of 0.1012 on 2025-12-11 before receding to the current value of 0.0798, indicating a modest post-disclosure increase in exploitation interest. Public proof-of-concept material is available on GitHub.

EU & UK References

Vulnerability details

Insecure permissions in Entrust Datacard XPS Card Printer Driver 8.5 and earlier without the dxp1-patch-E24-004 patch allows unauthenticated attackers to execute arbitrary code as SYSTEM via a crafted DLL payload.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Entrust
Datacard XPS
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References