CVE-2024-42657
Published: 19 August 2024
Summary
CVE-2024-42657 is a high-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Nepstech Ntpl-Xpon1Gfevn Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked in the top 15.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-39738
Vulnerability details
An issue in wishnet Nepstech Wifi Router NTPL-XPON1GFEVN v1.0 allows a remote attacker to obtain sensitive information via the lack of encryption during login process
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of encryption on login credentials enables network sniffing (T1040) and adversary-in-the-middle (T1557) attacks to capture sensitive information remotely.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.
Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.
Trained staff understand data-handling requirements and are less likely to expose sensitive information through misconfiguration or poor design.
Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information.
The assessment process surfaces design decisions that could expose sensitive (including PII) data to unauthorized actors, prompting controls that reduce such exposure.
Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.
Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.
Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.