Cyber Posture

CVE-2024-8893

High

Published: 14 February 2025

Published
14 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0015 34.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8893 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Os S (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires management of authenticators including changing defaults and prohibiting hard-coded credentials, directly preventing unauthorized web interface access via known credentials.

AC-18 Wireless Access partial match
prevent

AC-18 authorizes and protects wireless access to the device, mitigating exploitation by restricting Wi-Fi connections from physical proximity.

SI-2 Flaw Remediation good match
preventrecover

SI-2 mandates timely flaw remediation, addressing this hard-coded credentials vulnerability through firmware updates.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Hard-coded credentials enable unauthorized access to a network-exposed web interface (public-facing application) and allow use of embedded/default account credentials for initial access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1.

Deeper analysisAI

CVE-2024-8893 is a Use of Hard-coded Credentials vulnerability (CWE-798) in the GW1500-XS inverter from GoodWe Technologies Co., Ltd. The issue affects firmware version 1.1.2.1 and enables unauthorized full access to the device's web interface via Wi-Fi. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity with network accessibility and low complexity.

An attacker within physical proximity to the device, such as Wi-Fi range, can exploit this vulnerability with no privileges or user interaction required. Exploitation allows full access to the web interface, potentially compromising low levels of confidentiality, integrity, and availability of the inverter.

Mitigation details are available in the advisory published at https://os-s.net/publications/advisories/CVE-2024-8893.pdf.

Details

CWE(s)
CWE-798

Affected Products

Os S
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-25202Shared CWE-798
CVE-2026-3873Shared CWE-798
CVE-2026-1221Shared CWE-798
CVE-2024-57040Shared CWE-798
CVE-2025-67418Shared CWE-798
CVE-2025-10850Shared CWE-798
CVE-2025-9497Shared CWE-798
CVE-2026-22769Shared CWE-798
CVE-2026-27507Shared CWE-798
CVE-2025-10639Shared CWE-798

References