CVE-2024-46603
Published: 07 January 2025
Summary
CVE-2024-46603 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Elspec-Ltd G5Dfr Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-46603 is an XML External Entity (XXE) vulnerability, classified under CWE-611, affecting Elspec Engineering G5 Digital Fault Recorder Firmware version 1.2.1.12. The flaw enables attackers to process malicious XML payloads, leading to a Denial of Service (DoS) condition. It has a CVSS v3.1 base score of 7.5, rated as High severity, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, no privileges or user interaction required, and high impact on availability without affecting confidentiality or integrity.
Remote attackers without authentication can exploit this vulnerability by sending a specially crafted XML payload to the affected firmware. Successful exploitation disrupts the device's functionality, rendering the G5 Digital Fault Recorder unavailable and potentially impacting power system monitoring and fault recording operations in critical infrastructure environments.
Elspec Engineering provides details on this issue via their security advisory at https://www.elspec-ltd.com/support/security-advisories/. Security practitioners should consult this resource for recommended mitigations, such as firmware updates or configuration changes to address the XXE processing flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42198
Vulnerability details
An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE flaw enables remote unauthenticated exploitation of public-facing firmware (T1190) to trigger application/system DoS via crafted XML (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the XXE flaw in the firmware via patching or updates as recommended in the vendor advisory, preventing exploitation of crafted XML payloads.
Validates and sanitizes incoming XML inputs to block external entity processing that leads to DoS in the fault recorder firmware.
Implements DoS protections to mitigate availability impacts from remote exploitation of the XXE vulnerability without authentication.