Cyber Resilience

CVE-2024-39717

HighCISA KEVActive ExploitationEUVD Exploited

Published: 22 August 2024

Published
22 August 2024
Modified
30 October 2025
KEV Added
23 August 2024
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0536 90.3th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39717 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Versa-Networks Versa Director. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

Deeper analysis

The vulnerability CVE-2024-39717 is an unrestricted file upload flaw (CWE-434) in the Versa Director GUI. The interface's "Change Favicon" customization option, available only to authenticated Provider-Data-Center-Admin or Provider-Data-Center-System-Admin users, accepts files ending in .png without sufficient validation of their actual content or type.

An attacker with valid credentials for one of these high-privileged roles can upload a malicious payload disguised as an image. Successful exploitation can result in arbitrary file placement on the server, enabling impacts such as remote code execution, data compromise, or full system control, consistent with the CVSS 7.2 rating requiring no user interaction beyond initial authentication.

Versa Networks has published a security bulletin detailing the issue and available patches or workarounds. The CVE is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity.

EPSS scores have stayed low, moving only from a starting point near 0.05 to a peak of 0.0597.

EU & UK References

Vulnerability details

The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change…

more

Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.

CWE(s)
KEV Date Added
23 August 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

versa-networks
versa director
21.2.2, 21.2.3, 22.1.1, 22.1.2, 22.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References