CVE-2024-12903

HIGH

Evoko Home <2.7.4 - Privilege Escalation

Title source: llm

Description

Incorrect default permissions vulnerability in Evoko Home, affecting version 2.4.2 to 2.7.4. A non-admin user could exploit weak file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. It has been identified that full control permissions exist on the ‘Everyone’ group (i.e. any user who has local access to the operating system regardless of their privileges).

References (1)

Core 1

Core References

Third Party Advisory

https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-default-permissions-biamp-evoko-home

Scores

CVSS v3 7.8

EPSS 0.0020

EPSS Percentile 9.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-276

Status published

Products (1)

Biamp/Evoko Home Service 2.4.2 - 2.7.4.

Published Dec 23, 2024

Tracked Since Feb 18, 2026