Cyber Resilience

CVE-2024-47258

High

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0005 16.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47258 is a high-severity Improper Certificate Validation (CWE-295) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

CVE-2024-47258 affects 2N Access Commander versions 2.1 and prior, where default settings fail to verify TLS certificates of connected 2N edge devices, enabling man-in-the-middle (MITM) attacks. This vulnerability, classified under CWE-295 (Improper Certificate Validation), carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to elevated confidentiality and integrity impacts.

An attacker with adjacent network access, such as on the same local network segment, can exploit this without privileges or user interaction by positioning themselves between the Access Commander server and 2N edge devices. Successful exploitation allows interception and modification of sensitive communications, potentially compromising credentials, configuration data, or access control decisions relayed between the management software and physical access control hardware.

The vendor advises updating to 2N Access Commander version 3.3, which introduces Certificate Fingerprint Verification. Since version 2.2 (released February 2022), TLS certificate validation can also be manually enforced. Customers should upgrade to the latest version and implement one of these practices for mitigation, as detailed in the vendor advisory at https://www.2n.com/en-GB/download/cve_2024_47258_acom_3_3_v1pdf.

EU & UK References

Vulnerability details

2N Access Commander version 2.1 and prior is vulnerable in default settings to Man In The Middle attack due to not verifying certificates of 2N edge devices. 2N has currently released an updated version 3.3 of 2N Access Commander, with…

more

added Certificate Fingerprint Verification. Since version 2.2 of 2N Access Commander (released in February 2022) it is also possible to enforce TLS certificate validation.It is recommended that all customers update 2N Access Commander to the latest version and use one of two mentioned practices.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Directly enables successful Adversary-in-the-Middle attacks via missing TLS certificate validation (CWE-295), allowing interception/modification of traffic between server and devices.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-31854Shared CWE-295
CVE-2026-32627Shared CWE-295
CVE-2024-55581Shared CWE-295
CVE-2025-11043Shared CWE-295
CVE-2024-50691Shared CWE-295
CVE-2024-29171Shared CWE-295
CVE-2025-9293Shared CWE-295
CVE-2025-0500Shared CWE-295
CVE-2025-66001Shared CWE-295
CVE-2026-1530Shared CWE-295

Affected Assets

Access Commander
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires PKI certificate validation requirements to verify certificates of 2N edge devices, preventing MITM attacks from improper certificate validation.

prevent

Mandates unique identification and authentication of edge devices like 2N hardware before communications, blocking MITM impersonation exploiting unverified certificates.

prevent

Enforces cryptographic mechanisms to protect confidentiality and integrity of transmissions between Access Commander and edge devices against MITM interception and modification.

References