CVE-2024-48126

Critical

Published: 15 January 2025

Published

15 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 47.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48126 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 requires managing authenticators by changing initial or default values and protecting them from unauthorized disclosure, directly countering hardcoded credentials in the device.

CM-7 Least Functionality good match

prevent

CM-7 mandates configuring systems to least functionality by prohibiting or restricting non-essential vendor support and service functions that rely on the hardcoded credentials.

AC-2 Account Management partial match

prevent

AC-2 enables identification, review, and disabling of accounts associated with hardcoded credentials to prevent unauthorized access.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

Why these techniques?

Hardcoded credentials (CWE-798) directly provide valid/default account material for unauthenticated remote access to service functions, enabling T1078/T1078.001 and T1133 External Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access.

Deeper analysisAI

CVE-2024-48126 is a critical vulnerability in the HI-SCAN 6040i Hitrax HX-03-19-I, where hardcoded credentials enable unauthorized access to vendor support and service functions. Classified under CWE-798 (Use of Hard-coded Credentials), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and potential for significant impact.

Remote attackers require no privileges, authentication, or user interaction to exploit this issue over the network with low complexity. Exploitation allows attackers to leverage the hardcoded credentials, achieving high confidentiality, integrity, and availability impacts, such as gaining control over support and service access on affected devices.

Mitigation guidance is available in the referenced advisory at https://kth.diva-portal.org/smash/get/diva2:1876534/FULLTEXT01.pdf, published on 2025-01-15.