CVE-2024-5509
Published: 06 June 2024
Summary
CVE-2024-5509 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Luxion Keyshot. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-5509 is an uncontrolled search path element vulnerability in Luxion KeyShot that affects the parsing of BIP files. The flaw permits loading a library from an unsecured location, which can be abused to achieve remote code execution on affected installations. It was originally reported as ZDI-CAN-22738 and carries a CVSS 3.1 score of 7.8.
An unauthenticated attacker can exploit the issue by supplying a malicious BIP file or directing a victim to a malicious page; successful exploitation requires the target user to open the file or visit the page, after which arbitrary code runs in the context of the KeyShot process. The attack vector is local with no privileges required, yet the impact spans confidentiality, integrity, and availability.
Vendor advisories published by Luxion KeyShot CSIRT and the Zero Day Initiative (ZDI-24-540) address the issue and are the authoritative sources for patch and mitigation guidance. The EPSS score has remained flat at 0.0501 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46719
Vulnerability details
Luxion KeyShot BIP File Parsing Uncontrolled Search Path Element Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target…
more
must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of BIP files. The issue results from loading a library from an unsecured location. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22738.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.