CVE-2024-5411
Published: 28 May 2024
Summary
CVE-2024-5411 is a high-severity OS Command Injection (CWE-78) vulnerability in Oringnet Iap-420 Firmware. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-5411 is an OS command injection vulnerability (CWE-78) caused by missing input validation in the web interface of the ORing IAP-420 industrial access point. The flaw allows authenticated users to inject and execute arbitrary operating system commands and affects firmware version 2.01e and earlier. It carries a CVSS 4.0 score of 8.7, reflecting network-accessible exploitation with low attack complexity and high impact on confidentiality, integrity, and availability.
An attacker who has obtained valid credentials to the device's web interface can supply crafted input that is passed directly to the underlying operating system, enabling remote command execution. Successful exploitation grants the attacker control over the device, potentially allowing lateral movement within industrial networks or disruption of connected systems.
Public advisories published on seclists.org and cyberdanube.com in May 2024 detail the issue as part of a broader set of vulnerabilities affecting the same product; organizations should consult these disclosures for vendor guidance on available patches or configuration changes.
The EPSS score for this CVE currently stands at 0.2723 with an identical peak value, indicating sustained but not recently escalating exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46633
Vulnerability details
Missing input validation and OS command integration of the input in the ORing IAP-420 web-interface allows authenticated command injection.This issue affects IAP-420 version 2.01e and below.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.