CVE-2024-55019
Published: 03 March 2026
Summary
CVE-2024-55019 is a high-severity Improper Access Control (CWE-284) vulnerability in Weintek Easyweb. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-55019 is an incorrect access control vulnerability (CWE-284) in the download_wb.cgi component of Weintek cMT-3072XH2 easyweb Web Version v2.1.53 running OS v20231011. Published on 2026-03-03, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity and no privileges required.
Unauthenticated remote attackers can exploit this vulnerability over the network by accessing the affected component, enabling them to download arbitrary files from the device without authentication.
Advisories detailing potential mitigations or patches are available at the following references: https://gist.github.com/AenganZ/f86ed0da28825a1432ec697f484622de and https://plain-trick-71d.notion.site/weintek-cMT-3072XH2-14687a89c4c181eeb21ad61e0392f34b?pvs=4.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55458
Vulnerability details
Incorrect access control in the component download_wb.cgi of Weintek cMT-3072XH2 easyweb Web Version v2.1.53, OS v20231011 allows unauthenticated attack to download arbitrary files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote file access via public web component enables exploitation of public-facing application (T1190) and arbitrary local file retrieval (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for access to system resources, directly mitigating the incorrect access control in download_wb.cgi that permits unauthenticated arbitrary file downloads.
AC-14 identifies and authorizes only explicitly permitted actions without authentication, preventing unauthorized file downloads through the unauthenticated CGI component.
AC-22 controls and protects publicly accessible content on web servers like easyweb, reducing exposure of arbitrary files to unauthenticated remote attackers.