Cyber Resilience

CVE-2024-8355

Medium

Published: 22 November 2024

Published
22 November 2024
Modified
19 December 2024
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8355 is a medium-severity SQL Injection (CWE-89) vulnerability in Visteon Infotainment Firmware. Its CVSS base score is 6.8 (Medium).

Operationally, ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Visteon Infotainment System DeviceManager iAP Serial Number SQL Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment system. Authentication is not required to exploit this vulnerability. The specific flaw exists within…

more

the DeviceManager. When parsing the iAP Serial number, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20112.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

visteon
infotainment firmware
74.00.311a

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References