CVE-2024-5421
Published: 04 June 2024
Summary
CVE-2024-5421 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-5421 is an OS command injection vulnerability (CWE-78) caused by missing input validation in the web interface of SEH utnserver Pro, utnserver ProMAX, and INU-100 devices. The flaw affects all versions 20.1.22 and below and carries a CVSS 4.0 score of 8.7.
An authenticated attacker with network access can supply crafted input that is passed directly to the underlying operating system, enabling arbitrary command execution with impacts to confidentiality, integrity, and availability.
Public disclosures at seclists.org and cyberdanube.com detail the issue alongside other vulnerabilities in the same product line; the affected versions indicate that upgrading to a fixed release above 20.1.22 is the intended remediation path. The associated EPSS score reached a peak of 0.2564 before receding to its current value of 0.1895.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46643
Vulnerability details
Missing input validation and OS command integration of the input in the utnserver Pro, utnserver ProMAX, INU-100 web-interface allows authenticated command injection.This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.