Cyber Resilience

CVE-2024-46603

High

Published: 07 January 2025

Published
07 January 2025
Modified
16 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 20.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46603 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Elspec-Ltd G5Dfr Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-46603 is an XML External Entity (XXE) vulnerability, classified under CWE-611, affecting Elspec Engineering G5 Digital Fault Recorder Firmware version 1.2.1.12. The flaw enables attackers to process malicious XML payloads, leading to a Denial of Service (DoS) condition. It has a CVSS v3.1 base score of 7.5, rated as High severity, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, no privileges or user interaction required, and high impact on availability without affecting confidentiality or integrity.

Remote attackers without authentication can exploit this vulnerability by sending a specially crafted XML payload to the affected firmware. Successful exploitation disrupts the device's functionality, rendering the G5 Digital Fault Recorder unavailable and potentially impacting power system monitoring and fault recording operations in critical infrastructure environments.

Elspec Engineering provides details on this issue via their security advisory at https://www.elspec-ltd.com/support/security-advisories/. Security practitioners should consult this resource for recommended mitigations, such as firmware updates or configuration changes to address the XXE processing flaw.

EU & UK References

Vulnerability details

An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

XXE flaw enables remote unauthenticated exploitation of public-facing firmware (T1190) to trigger application/system DoS via crafted XML (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-46602Same product: Elspec-Ltd G5Dfr
CVE-2024-46601Same product: Elspec-Ltd G5Dfr
CVE-2025-10713Shared CWE-611
CVE-2026-24400Shared CWE-611
CVE-2025-12531Shared CWE-611
CVE-2025-65482Shared CWE-611
CVE-2025-65868Shared CWE-611
CVE-2024-56322Shared CWE-611
CVE-2024-49352Shared CWE-611
CVE-2024-2374Shared CWE-611

Affected Assets

elspec-ltd
g5dfr firmware
≤ 1.2.2.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the XXE flaw in the firmware via patching or updates as recommended in the vendor advisory, preventing exploitation of crafted XML payloads.

prevent

Validates and sanitizes incoming XML inputs to block external entity processing that leads to DoS in the fault recorder firmware.

prevent

Implements DoS protections to mitigate availability impacts from remote exploitation of the XXE vulnerability without authentication.

References