Cyber Resilience

CVE-2024-7490

Critical

Published: 08 August 2024

Published
08 August 2024
Modified
29 September 2025
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1173 93.9th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7490 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Microchip Advanced Software Framework. Its CVSS base score is 9.5 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an improper input validation flaw, tracked as CWE-120, in the example DHCP server implementation within Microchip Technology's Advanced Software Framework. It resides in tinydhcpserver.C and the lwip_dhcp_find_option routine, enabling a buffer overflow that can result in remote code execution. The issue affects all versions of ASF through 3.52.0.2574 and carries a CVSS 4.0 score of 9.5.

An unauthenticated attacker can exploit the flaw remotely over the network by sending crafted DHCP traffic that triggers the overflow, achieving arbitrary code execution with high impact to confidentiality, integrity, and availability on affected systems.

Microchip states that ASF is no longer supported and directs users to apply the workaround referenced in the advisory or migrate to a maintained framework; additional details appear in the associated CERT vulnerability note at kb.cert.org. The EPSS score remains flat at 0.1173 with no reported real-world exploitation to date.

EU & UK References

Vulnerability details

Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option. This issue affects Advanced Software Framework:…

more

through 3.52.0.2574. ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The stack-based buffer overflow in the ASF tinydhcp server allows unauthenticated remote code execution via a specially crafted DHCP request packet, directly enabling Exploitation of Remote Services (T1210).

Affected Assets

microchip
advanced software framework
≤ 3.52.0.2574

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References