Cyber Resilience

CVE-2024-51346

High

Published: 25 March 2026

Published
25 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 4.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51346 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Eufy Homebase (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-51346 is a vulnerability in Eufy Homebase 2 version 3.3.4.1h that allows a local attacker to obtain sensitive information through a flaw in the cryptographic scheme. This issue corresponds to CWE-330 (Use of Insufficiently Random Values) and has a CVSS v3.1 base score of 7.7 (High), with vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high impacts on confidentiality and integrity but no availability impact.

A local attacker can exploit this vulnerability with low complexity, requiring no privileges or user interaction. Successful exploitation enables the attacker to access sensitive information and potentially modify data, given the high integrity impact rating.

For mitigation details, security practitioners should consult the primary advisory at https://github.com/victorGoeman/Eufy-Ecosystem-Security-Research/blob/main/CVE-2024-51346.md and the related research repository at https://github.com/victorGoeman/Eufy-Ecosystem-Security-Research/blob/main/README.md, along with the vendor site at https://www.eufy.com/. No official patches are detailed in the provided references.

EU & UK References

Vulnerability details

An issue in Eufy Homebase 2 version 3.3.4.1h allows a local attacker to obtain sensitive information via the cryptographic scheme.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Local crypto flaw (weak RNG) directly enables unauthorized extraction of sensitive data/credentials from the device without privileges.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-48928Shared CWE-330
CVE-2026-27515Shared CWE-330
CVE-2026-27637Shared CWE-330
CVE-2026-25072Shared CWE-330
CVE-2025-64097Shared CWE-330
CVE-2026-33710Shared CWE-330
CVE-2026-40975Shared CWE-330
CVE-2026-27755Shared CWE-330
CVE-2025-68704Shared CWE-330
CVE-2026-20101Shared CWE-330

Affected Assets

Eufy
Homebase
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic protections using FIPS-validated modules that ensure sufficient randomness, directly countering the CWE-330 flaw in the cryptographic scheme allowing sensitive information disclosure.

prevent

Mandates timely remediation of identified flaws like this cryptographic vulnerability in Eufy Homebase 2 firmware, preventing local attacker exploitation.

prevent

Enforces cryptographic key establishment and management with sufficient entropy, mitigating aspects of insufficiently random values in the flawed scheme.

References