Cyber Resilience

CVE-2024-42512

High

Published: 10 February 2025

Published
10 February 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0003 10.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42512 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Opcfoundation Ua .Net Standard Stack. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2024-42512 is a vulnerability in the OPC UA .NET Standard Stack prior to version 1.5.374.158. It allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled. The issue is classified under CWE-208 (Observable Timing Discrepancy) and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility and potential for significant confidentiality impact.

The vulnerability can be exploited by any unauthorized attacker with network access to the affected component, requiring low attack complexity and no privileges, user interaction, or special conditions beyond the Basic128Rsa15 policy being enabled. Successful exploitation enables authentication bypass, granting unauthorized access that could result in high confidentiality loss, such as exposure of sensitive data, alongside low impacts to integrity and availability.

Mitigation details are provided in the OPC Foundation Security Bulletin available at https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2024-42512.pdf, published on 2025-02-10.

EU & UK References

Vulnerability details

Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct authentication bypass in a network-accessible OPC UA service enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68621Shared CWE-208
CVE-2026-40972Shared CWE-208
CVE-2026-5086Shared CWE-208
CVE-2026-28464Shared CWE-208
CVE-2026-42602Shared CWE-208
CVE-2026-47783Shared CWE-208
CVE-2024-13939Shared CWE-208
CVE-2025-48630Shared CWE-208
CVE-2026-47373Shared CWE-208
CVE-2025-70949Shared CWE-208

Affected Assets

opcfoundation
ua .net standard stack
≤ 1.5.374.158

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of the flaw in OPC UA .NET Standard Stack prior to 1.5.374.158 directly prevents the authentication bypass exploitation.

prevent

Secure configuration settings that disable the deprecated Basic128Rsa15 security policy eliminate the condition required for the timing-based authentication bypass.

prevent

Requiring cryptographic protections with equivalent strength prohibits enabling the weak Basic128Rsa15 policy vulnerable to timing discrepancies.

References