CVE-2024-55544
Published: 10 December 2024
Summary
CVE-2024-55544 is a high-severity Command Injection (CWE-77) vulnerability in Oringnet Iap-420 Firmware. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-55544 is a command injection vulnerability caused by missing input validation in the web interface of the ORing IAP-420 industrial access point. The flaw, tracked under CWE-77, affects firmware version 2.01e and earlier and permits an authenticated attacker to execute arbitrary operating-system commands.
An attacker with valid web-interface credentials can send specially crafted requests over the network to achieve full command execution. Successful exploitation grants high impact on confidentiality, integrity, and availability of the device, consistent with the reported CVSS 4.0 score of 8.7.
Public disclosures from CyberDanube and the Full Disclosure mailing list detail the issue but do not reference vendor-supplied patches or specific mitigation steps. The associated EPSS score stands at 0.2209 with no material change from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52798
Vulnerability details
Missing input validation in the ORing IAP-420 web-interface allows authenticated Command Injections on OS level.This issue affects IAP-420 version 2.01e and below.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.