CVE-2024-48126
Published: 15 January 2025
Summary
CVE-2024-48126 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Diva Portal (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2024-48126 is a critical vulnerability in the HI-SCAN 6040i Hitrax HX-03-19-I, where hardcoded credentials enable unauthorized access to vendor support and service functions. Classified under CWE-798 (Use of Hard-coded Credentials), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and potential for significant impact.
Remote attackers require no privileges, authentication, or user interaction to exploit this issue over the network with low complexity. Exploitation allows attackers to leverage the hardcoded credentials, achieving high confidentiality, integrity, and availability impacts, such as gaining control over support and service access on affected devices.
Mitigation guidance is available in the referenced advisory at https://kth.diva-portal.org/smash/get/diva2:1876534/FULLTEXT01.pdf, published on 2025-01-15.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43235
Vulnerability details
HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credentials (CWE-798) directly provide valid/default account material for unauthenticated remote access to service functions, enabling T1078/T1078.001 and T1133 External Remote Services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires managing authenticators by changing initial or default values and protecting them from unauthorized disclosure, directly countering hardcoded credentials in the device.
CM-7 mandates configuring systems to least functionality by prohibiting or restricting non-essential vendor support and service functions that rely on the hardcoded credentials.
AC-2 enables identification, review, and disabling of accounts associated with hardcoded credentials to prevent unauthorized access.