Cyber Resilience

CVE-2024-5421

HighRCE

Published: 04 June 2024

Published
04 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1895 95.5th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5421 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-5421 is an OS command injection vulnerability (CWE-78) caused by missing input validation in the web interface of SEH utnserver Pro, utnserver ProMAX, and INU-100 devices. The flaw affects all versions 20.1.22 and below and carries a CVSS 4.0 score of 8.7.

An authenticated attacker with network access can supply crafted input that is passed directly to the underlying operating system, enabling arbitrary command execution with impacts to confidentiality, integrity, and availability.

Public disclosures at seclists.org and cyberdanube.com detail the issue alongside other vulnerabilities in the same product line; the affected versions indicate that upgrading to a fixed release above 20.1.22 is the intended remediation path. The associated EPSS score reached a peak of 0.2564 before receding to its current value of 0.1895.

EU & UK References

Vulnerability details

Missing input validation and OS command integration of the input in the utnserver Pro, utnserver ProMAX, INU-100 web-interface allows authenticated command injection.This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

INU-100
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References