Cyber Resilience

CVE-2024-46933

HighDDoS

Published: 20 February 2025

Published
20 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0004 13.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46933 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Eviden BullSequana XH2140 (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Endpoint Denial of Service (T1499); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2024-46933 is a vulnerability in the Atos Eviden BullSequana XH2140 Baseboard Management Controller (BMC) prior to version C4EM-125: OMF_C4E 101.05.0014. The issue stems from some BullSequana XH products being shipped without proper hardware programming, specifically leaving the AST2600 component unconfigured. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H) and was published on 2025-02-20.

Exploitation requires network access (AV:N) but demands high attack complexity (AC:H) and privileged user rights (PR:H), with no user interaction needed (UI:N). Successful attacks can alter system integrity (I:H) and cause denial-of-service (A:H), with a changed scope (S:C) due to the BMC's privileged position. The vulnerability enables potential denial-of-service specifically when privileged access is obtained.

For mitigation details, refer to the vendor advisories, including the Bull PSIRT security bulletin (PSIRT-270, version 2.7, TLP:CLEAR) at https://support.bull.com/ols/product/security/psirt/security-bulletins/ast2600-left-unconfigured-in-bullsequana-xh2140-psirt-270-tlp-clear-version-2-7-cve-2024-46933/view and the Eviden security page at https://eviden.com.

EU & UK References

Vulnerability details

An issue was discovered in Atos Eviden BullSequana XH2140 BMC before C4EM-125: OMF_C4E 101.05.0014. Some BullSequana XH products were shipped without proper hardware programming, leading to a potential denial-of-service with privileged access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

CWE-770 resource exhaustion weakness in network-accessible BMC directly enables DoS impact (I:H/A:H) once privileged access obtained.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8486Shared CWE-770
CVE-2024-12537Shared CWE-770
CVE-2025-51846Shared CWE-770
CVE-2021-47877Shared CWE-770
CVE-2020-36950Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2026-1718Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770

Affected Assets

Eviden
BullSequana XH2140
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the CVE by applying vendor firmware updates like C4EM-125 to properly configure the unprogrammed AST2600 component and prevent DoS.

prevent

Ensures baseline configuration settings for BMC hardware components like AST2600 are properly programmed to avoid shipment or deployment vulnerabilities leading to resource exhaustion.

prevent

Implements denial-of-service protections such as resource throttling to mitigate exploitation of the unconfigured AST2600 causing availability impacts.

References