CVE-2024-8456
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PLANET Technology | GS-4210-24PL4C hardware 2.0 | 0 < 2.305b240719 | affected |
| PLANET Technology | GS-4210-24P2S hardware 3.0 | 0 < 3.305b240802 | affected |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.twcert.org.tw/tw/cp-132-8061-91872-1.html
- https://www.twcert.org.tw/en/cp-139-8062-92f17-2.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.