A serious security vulnerability has been discovered in the Bitdefender BOX v1, a network security device previously offered by Bitdefender. The vulnerability, identified as CVE-2024-13872, affects versions 1.3.11.490 through 1.3.11.505 of the device’s firmware.

The security flaw stems from the device’s use of insecure HTTP protocol during program and detection rule updates. This insecure communication channel creates a significant security risk for users who continue to operate these devices despite their end-of-support status.

Attack Method and Severity

Attackers within adjacent networks can exploit this vulnerability by remotely triggering the update API and then executing a man-in-the-middle (MITM) attack to deliver malicious responses. When the device processes these corrupted updates, attackers can potentially execute arbitrary code remotely on the affected device.

The vulnerability has received a “Critical” severity rating with a base score of 9.4 on the Common Vulnerability Scoring System (CVSS v4.0), indicating its serious nature and potential impact.

No Fix Available for End-of-Life Product

Unfortunately for users of the affected hardware, Bitdefender BOX v1 has already reached its end-of-life status and is no longer supported by the manufacturer. As a result, no security updates or patches addressing this vulnerability have been announced, leaving these devices permanently vulnerable to exploitation.

Security experts recommend that owners of Bitdefender BOX v1 devices consider replacing them with currently supported security solutions to maintain proper protection for their home networks.

Share this post

Author

Editorial Team
Editorial Team
The Editorial Team at Security Land is comprised of experienced professionals dedicated to delivering insightful analysis, breaking news, and expert perspectives on the ever-evolving threat landscape

Comments