Cyber Posture

CVE-2024-45569

Critical

Published: 03 February 2025

Published
03 February 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 63.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45569 is a critical-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 36.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. AI-specific risk: MITRE ATLAS External Harms (AML.T0048). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs like ML IE frames to prevent improper array index handling and memory corruption from invalid content.

SI-16 Memory Protection good match
prevent

SI-16 implements memory safeguards such as address space layout randomization or data execution prevention to mitigate exploitation of memory corruption vulnerabilities.

SI-2 Flaw Remediation good match
preventrecover

SI-2 ensures timely identification, reporting, and patching of flaws like CVE-2024-45569 as detailed in Qualcomm's security bulletin.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Memory corruption vulnerability in parsing malformed ML IE in wireless frames enables remote exploitation for privilege escalation (e.g., kernel/driver RCE) or endpoint denial of service via application/system crash.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

NVD Description

Memory corruption while parsing the ML IE due to invalid frame content.

Deeper analysisAI

CVE-2024-45569 is a memory corruption vulnerability stemming from improper validation of array index (CWE-129) while parsing the ML IE due to invalid frame content. It affects components in Qualcomm products, as documented in the vendor's February 2025 security bulletin.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, such as arbitrary code execution or system compromise.

Qualcomm's February 2025 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html details affected products and provides guidance on patches or mitigations. Security practitioners should consult this advisory for specific remediation steps.

Details

CWE(s)
CWE-129

Affected Products

qualcomm
ar8035 firmware
all versions
qualcomm
csr8811 firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
immersive home 214 firmware
all versions
qualcomm
immersive home 216 firmware
all versions
qualcomm
immersive home 316 firmware
all versions
qualcomm
immersive home 318 firmware
all versions
qualcomm
immersive home 3210 firmware
all versions
+164 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-49833Same product: Qualcomm Fastconnect 6700
CVE-2024-49834Same product: Qualcomm Fastconnect 6700
CVE-2024-53014Same product: Qualcomm Ar8035
CVE-2024-49839Same product: Qualcomm Ar8035
CVE-2024-45558Same product: Qualcomm Ar8035
CVE-2024-49843Same product: Qualcomm Fastconnect 7800
CVE-2024-49837Same product: Qualcomm Qam8255P
CVE-2024-49836Same product: Qualcomm Fastconnect 6900
CVE-2024-45571Same product: Qualcomm Ar8035
CVE-2024-49832Same product: Qualcomm Fastconnect 6900

References