Cyber Resilience

CVE-2024-5509

High

Published: 06 June 2024

Published
06 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0501 89.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5509 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Luxion Keyshot. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-5509 is an uncontrolled search path element vulnerability in Luxion KeyShot that affects the parsing of BIP files. The flaw permits loading a library from an unsecured location, which can be abused to achieve remote code execution on affected installations. It was originally reported as ZDI-CAN-22738 and carries a CVSS 3.1 score of 7.8.

An unauthenticated attacker can exploit the issue by supplying a malicious BIP file or directing a victim to a malicious page; successful exploitation requires the target user to open the file or visit the page, after which arbitrary code runs in the context of the KeyShot process. The attack vector is local with no privileges required, yet the impact spans confidentiality, integrity, and availability.

Vendor advisories published by Luxion KeyShot CSIRT and the Zero Day Initiative (ZDI-24-540) address the issue and are the authoritative sources for patch and mitigation guidance. The EPSS score has remained flat at 0.0501 with no material increase since disclosure.

EU & UK References

Vulnerability details

Luxion KeyShot BIP File Parsing Uncontrolled Search Path Element Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target…

more

must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of BIP files. The issue results from loading a library from an unsecured location. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22738.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

luxion
keyshot
≤ 2024.1
luxion
keyshot network rendering
≤ 2024.1
luxion
keyshot viewer
≤ 2024.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References