Cyber Posture

CVE-2024-48455

Low

Published: 06 January 2025

Published
06 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.6349 98.4th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48455 is a low-severity an unspecified weakness vulnerability. Its CVSS base score is 2.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).

Threat & Defense at a Glance

What attackers do: exploitation maps to System Network Configuration Discovery (T1016) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of flaws like the information disclosure vulnerability in the skk_get.cgi component.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for logical access, preventing privileged remote attackers from obtaining sensitive information via mode_name and wl_link parameters.

AU-13 Monitoring for Information Disclosure good match
detect

AU-13 specifically monitors the system for unauthorized disclosure of information, such as the sensitive data leak enabled by this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1602 Data from Configuration Repository Collection
Adversaries may collect data related to managed devices from configuration repositories.
attack.mitre.org →
Why these techniques?

Post-auth info disclosure via router CGI parameters directly enables network/system config and device data discovery (T1016/T1082/T1602).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router…

more

MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the mode_name, wl_link parameters of the skk_get.cgi component.

Deeper analysisAI

CVE-2024-48455 is an information disclosure vulnerability affecting multiple Netis router models and specific firmware versions. The impacted devices include the Netis Wifi6 Router NX10 running versions 2.0.1.3643 and 2.0.1.3582, Netis Wifi 11AC Router NC65 version 3.0.0.3749, Netis Wifi 11AC Router NC63 versions 3.0.0.3327 and 3.0.0.3503, Netis Wifi 11AC Router NC21 versions 3.0.0.3800, 3.0.0.3500, and 3.0.0.3329, and Netis Wifi Router MW5360 versions 1.0.1.3442 and 1.0.1.3031. The flaw exists in the skk_get.cgi component, where the mode_name and wl_link parameters expose sensitive information to attackers.

A remote attacker with high privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation enables a low-impact confidentiality breach, allowing the attacker to obtain sensitive information from the device, while integrity and availability are unaffected. The CVSS v3.1 base score is 2.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

Details on the vulnerability, including potential mitigations, are documented in GitHub projects maintained by h00die-gr3y, accessible at https://github.com/users/h00die-gr3y/projects/1/views/1 and https://github.com/users/h00die-gr3y/projects/1/views/1?pane=issue&itemId=92065458&issue=h00die-gr3y%7Ch00die-gr3y%7C2.

Details

CWE(s)
None listed

References