CVE-2024-39717
Published: 22 August 2024
Summary
CVE-2024-39717 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Versa-Networks Versa Director. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
Deeper analysis
The vulnerability CVE-2024-39717 is an unrestricted file upload flaw (CWE-434) in the Versa Director GUI. The interface's "Change Favicon" customization option, available only to authenticated Provider-Data-Center-Admin or Provider-Data-Center-System-Admin users, accepts files ending in .png without sufficient validation of their actual content or type.
An attacker with valid credentials for one of these high-privileged roles can upload a malicious payload disguised as an image. Successful exploitation can result in arbitrary file placement on the server, enabling impacts such as remote code execution, data compromise, or full system control, consistent with the CVSS 7.2 rating requiring no user interaction beyond initial authentication.
Versa Networks has published a security bulletin detailing the issue and available patches or workarounds. The CVE is also listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity.
EPSS scores have stayed low, moving only from a starting point near 0.05 to a peak of 0.0597.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38202
Vulnerability details
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change…
more
Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.
- CWE(s)
- KEV Date Added
- 23 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.