CVE-2024-23922

MEDIUM

Sony XAV-AX5500 Firmware - Unauthenticated Remote Code Execution via Firmware Update Validation Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-23922. PoCs published by lkushinada.

AI-analyzed exploit summary This exploit leverages improper firmware validation in Sony XAV-AX5500 devices to craft malicious update packages, enabling arbitrary code execution via USB. The PoC decrypts, modifies, and repackages firmware updates to bypass validation checks.

Description

Sony XAV-AX5500 Insufficient Firmware Update Validation Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of software updates. The issue results from the lack of proper validation of software update packages. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-22939

Exploits (1)

exploitdb WORKING POC

by lkushinada · pythonremotemultiple

https://www.exploit-db.com/exploits/52143

View Code ZIP pw:eip

This exploit leverages improper firmware validation in Sony XAV-AX5500 devices to craft malicious update packages, enabling arbitrary code execution via USB. The PoC decrypts, modifies, and repackages firmware updates to bypass validation checks.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sony XAV-AX5500 firmware versions prior to 2.00

No auth needed

Prerequisites: Physical access to the device · Existing firmware update package · WinRAR 2.0

MITRE ATT&CK

T1072 - Software Deployment Tools

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry x_research-advisory

https://www.zerodayinitiative.com/advisories/ZDI-24-874/

Patch vendor-advisory

https://www.sony.com/electronics/support/mobile-cd-players-digital-media-players-xav-series/xav-ax5500/software/00274156

Scores

CVSS v3 6.8

EPSS 0.0167

EPSS Percentile 73.7%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-345

Status published

Products (1)

sony/xav-ax5500_firmware 1.13

Published Sep 23, 2024

Tracked Since Feb 18, 2026