Cyber Resilience

CVE-2024-55544

HighPublic PoCRCE

Published: 10 December 2024

Published
10 December 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2209 95.9th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55544 is a high-severity Command Injection (CWE-77) vulnerability in Oringnet Iap-420 Firmware. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-55544 is a command injection vulnerability caused by missing input validation in the web interface of the ORing IAP-420 industrial access point. The flaw, tracked under CWE-77, affects firmware version 2.01e and earlier and permits an authenticated attacker to execute arbitrary operating-system commands.

An attacker with valid web-interface credentials can send specially crafted requests over the network to achieve full command execution. Successful exploitation grants high impact on confidentiality, integrity, and availability of the device, consistent with the reported CVSS 4.0 score of 8.7.

Public disclosures from CyberDanube and the Full Disclosure mailing list detail the issue but do not reference vendor-supplied patches or specific mitigation steps. The associated EPSS score stands at 0.2209 with no material change from its recorded peak.

EU & UK References

Vulnerability details

Missing input validation in the ORing IAP-420 web-interface allows authenticated Command Injections on OS level.This issue affects IAP-420 version 2.01e and below.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oringnet
iap-420 firmware
≤ 2.01e

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References