CVE-2024-42512

High

Published: 10 February 2025

Published

10 February 2025

Modified

29 September 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS Score 0.0003 10.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42512 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Opcfoundation Ua .Net Standard Stack. Its CVSS base score is 8.6 (High).

Operationally, ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-13 (Cryptographic Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely remediation of the flaw in OPC UA .NET Standard Stack prior to 1.5.374.158 directly prevents the authentication bypass exploitation.

CM-6 Configuration Settings good match

prevent

Secure configuration settings that disable the deprecated Basic128Rsa15 security policy eliminate the condition required for the timing-based authentication bypass.

SC-13 Cryptographic Protection good match

prevent

Requiring cryptographic protections with equivalent strength prohibits enabling the weak Basic128Rsa15 policy vulnerable to timing discrepancies.

NVD Description

Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled.

Deeper analysisAI

CVE-2024-42512 is a vulnerability in the OPC UA .NET Standard Stack prior to version 1.5.374.158. It allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled. The issue is classified under CWE-208 (Observable Timing Discrepancy) and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility and potential for significant confidentiality impact.

The vulnerability can be exploited by any unauthorized attacker with network access to the affected component, requiring low attack complexity and no privileges, user interaction, or special conditions beyond the Basic128Rsa15 policy being enabled. Successful exploitation enables authentication bypass, granting unauthorized access that could result in high confidentiality loss, such as exposure of sensitive data, alongside low impacts to integrity and availability.

Mitigation details are provided in the OPC Foundation Security Bulletin available at https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2024-42512.pdf, published on 2025-02-10.