CVE-2024-46933
Published: 20 February 2025
Summary
CVE-2024-46933 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Eviden BullSequana XH2140 (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Endpoint Denial of Service (T1499); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2024-46933 is a vulnerability in the Atos Eviden BullSequana XH2140 Baseboard Management Controller (BMC) prior to version C4EM-125: OMF_C4E 101.05.0014. The issue stems from some BullSequana XH products being shipped without proper hardware programming, specifically leaving the AST2600 component unconfigured. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H) and was published on 2025-02-20.
Exploitation requires network access (AV:N) but demands high attack complexity (AC:H) and privileged user rights (PR:H), with no user interaction needed (UI:N). Successful attacks can alter system integrity (I:H) and cause denial-of-service (A:H), with a changed scope (S:C) due to the BMC's privileged position. The vulnerability enables potential denial-of-service specifically when privileged access is obtained.
For mitigation details, refer to the vendor advisories, including the Bull PSIRT security bulletin (PSIRT-270, version 2.7, TLP:CLEAR) at https://support.bull.com/ols/product/security/psirt/security-bulletins/ast2600-left-unconfigured-in-bullsequana-xh2140-psirt-270-tlp-clear-version-2-7-cve-2024-46933/view and the Eviden security page at https://eviden.com.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4589
Vulnerability details
An issue was discovered in Atos Eviden BullSequana XH2140 BMC before C4EM-125: OMF_C4E 101.05.0014. Some BullSequana XH products were shipped without proper hardware programming, leading to a potential denial-of-service with privileged access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-770 resource exhaustion weakness in network-accessible BMC directly enables DoS impact (I:H/A:H) once privileged access obtained.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the CVE by applying vendor firmware updates like C4EM-125 to properly configure the unprogrammed AST2600 component and prevent DoS.
Ensures baseline configuration settings for BMC hardware components like AST2600 are properly programmed to avoid shipment or deployment vulnerabilities leading to resource exhaustion.
Implements denial-of-service protections such as resource throttling to mitigate exploitation of the unconfigured AST2600 causing availability impacts.