CVE-2024-42512
Published: 10 February 2025
Summary
CVE-2024-42512 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Opcfoundation Ua .Net Standard Stack. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2024-42512 is a vulnerability in the OPC UA .NET Standard Stack prior to version 1.5.374.158. It allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled. The issue is classified under CWE-208 (Observable Timing Discrepancy) and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility and potential for significant confidentiality impact.
The vulnerability can be exploited by any unauthorized attacker with network access to the affected component, requiring low attack complexity and no privileges, user interaction, or special conditions beyond the Basic128Rsa15 policy being enabled. Successful exploitation enables authentication bypass, granting unauthorized access that could result in high confidentiality loss, such as exposure of sensitive data, alongside low impacts to integrity and availability.
Mitigation details are provided in the OPC Foundation Security Bulletin available at https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2024-42512.pdf, published on 2025-02-10.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5035
Vulnerability details
Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct authentication bypass in a network-accessible OPC UA service enables exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation of the flaw in OPC UA .NET Standard Stack prior to 1.5.374.158 directly prevents the authentication bypass exploitation.
Secure configuration settings that disable the deprecated Basic128Rsa15 security policy eliminate the condition required for the timing-based authentication bypass.
Requiring cryptographic protections with equivalent strength prohibits enabling the weak Basic128Rsa15 policy vulnerable to timing discrepancies.