CVE-2024-51346

High

Published: 25 March 2026

Published

25 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0002 3.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51346 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Eufy Homebase (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-13 Cryptographic Protection good match

prevent

Requires cryptographic protections using FIPS-validated modules that ensure sufficient randomness, directly countering the CWE-330 flaw in the cryptographic scheme allowing sensitive information disclosure.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of identified flaws like this cryptographic vulnerability in Eufy Homebase 2 firmware, preventing local attacker exploitation.

SC-12 Cryptographic Key Establishment and Management partial match

prevent

Enforces cryptographic key establishment and management with sufficient entropy, mitigating aspects of insufficiently random values in the flawed scheme.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Local crypto flaw (weak RNG) directly enables unauthorized extraction of sensitive data/credentials from the device without privileges.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in Eufy Homebase 2 version 3.3.4.1h allows a local attacker to obtain sensitive information via the cryptographic scheme.

Deeper analysisAI

CVE-2024-51346 is a vulnerability in Eufy Homebase 2 version 3.3.4.1h that allows a local attacker to obtain sensitive information through a flaw in the cryptographic scheme. This issue corresponds to CWE-330 (Use of Insufficiently Random Values) and has a CVSS v3.1 base score of 7.7 (High), with vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high impacts on confidentiality and integrity but no availability impact.

A local attacker can exploit this vulnerability with low complexity, requiring no privileges or user interaction. Successful exploitation enables the attacker to access sensitive information and potentially modify data, given the high integrity impact rating.

For mitigation details, security practitioners should consult the primary advisory at https://github.com/victorGoeman/Eufy-Ecosystem-Security-Research/blob/main/CVE-2024-51346.md and the related research repository at https://github.com/victorGoeman/Eufy-Ecosystem-Security-Research/blob/main/README.md, along with the vendor site at https://www.eufy.com/. No official patches are detailed in the provided references.