Cyber Posture

CVE-2024-47258

High

Published: 06 February 2025

Published
06 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0006 20.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47258 is a high-severity Improper Certificate Validation (CWE-295) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SC-17 (Public Key Infrastructure Certificates).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-17 Public Key Infrastructure Certificates good match
prevent

Directly requires PKI certificate validation requirements to verify certificates of 2N edge devices, preventing MITM attacks from improper certificate validation.

IA-3 Device Identification and Authentication good match
prevent

Mandates unique identification and authentication of edge devices like 2N hardware before communications, blocking MITM impersonation exploiting unverified certificates.

SC-8 Transmission Confidentiality and Integrity good match
prevent

Enforces cryptographic mechanisms to protect confidentiality and integrity of transmissions between Access Commander and edge devices against MITM interception and modification.

NVD Description

2N Access Commander version 2.1 and prior is vulnerable in default settings to Man In The Middle attack due to not verifying certificates of 2N edge devices. 2N has currently released an updated version 3.3 of 2N Access Commander, with…

more

added Certificate Fingerprint Verification. Since version 2.2 of 2N Access Commander (released in February 2022) it is also possible to enforce TLS certificate validation.It is recommended that all customers update 2N Access Commander to the latest version and use one of two mentioned practices.

Deeper analysisAI

CVE-2024-47258 affects 2N Access Commander versions 2.1 and prior, where default settings fail to verify TLS certificates of connected 2N edge devices, enabling man-in-the-middle (MITM) attacks. This vulnerability, classified under CWE-295 (Improper Certificate Validation), carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to elevated confidentiality and integrity impacts.

An attacker with adjacent network access, such as on the same local network segment, can exploit this without privileges or user interaction by positioning themselves between the Access Commander server and 2N edge devices. Successful exploitation allows interception and modification of sensitive communications, potentially compromising credentials, configuration data, or access control decisions relayed between the management software and physical access control hardware.

The vendor advises updating to 2N Access Commander version 3.3, which introduces Certificate Fingerprint Verification. Since version 2.2 (released February 2022), TLS certificate validation can also be manually enforced. Customers should upgrade to the latest version and implement one of these practices for mitigation, as detailed in the vendor advisory at https://www.2n.com/en-GB/download/cve_2024_47258_acom_3_3_v1pdf.

Details

CWE(s)
CWE-295

Affected Products

Access Commander
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-54848Shared CWE-295
CVE-2025-1193Shared CWE-295
CVE-2026-34580Shared CWE-295
CVE-2025-46788Shared CWE-295
CVE-2026-33810Shared CWE-295
CVE-2026-32627Shared CWE-295
CVE-2026-42011Shared CWE-295
CVE-2024-55581Shared CWE-295
CVE-2025-11043Shared CWE-295
CVE-2025-46070Shared CWE-295

References