Cyber Resilience

CVE-2024-42657

High

Published: 19 August 2024

Published
19 August 2024
Modified
20 August 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0209 84.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42657 is a high-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Nepstech Ntpl-Xpon1Gfevn Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked in the top 15.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the lack of encryption during login process

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Lack of encryption on login credentials enables network sniffing (T1040) and adversary-in-the-middle (T1557) attacks to capture sensitive information remotely.

Affected Assets

nepstech
ntpl-xpon1gfevn firmware
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-311

A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.

addresses: CWE-200 CWE-311

Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.

addresses: CWE-200 CWE-311

Trained staff understand data-handling requirements and are less likely to expose sensitive information through misconfiguration or poor design.

addresses: CWE-200 CWE-311

Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-311

The assessment process surfaces design decisions that could expose sensitive (including PII) data to unauthorized actors, prompting controls that reduce such exposure.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-200

Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.

References