CVE-2024-23928

MEDIUM

Pioneer DMH-WT7600NEX Firmware - Unauthenticated Improper Certificate Validation in Telematics Functionality

Title source: llm

Description

This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of Pioneer DMH-WT7600NEX devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the telematics functionality, which operates over HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.

References (2)

Core 2

Core References

Product

https://jpn.pioneer/ja/car/dl/dmh-sz700_sf700/

Third Party Advisory

https://www.zerodayinitiative.com/advisories/ZDI-24-1045/

Scores

CVSS v3 6.5

EPSS 0.0024

EPSS Percentile 14.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (1)

pioneer/dmh-wt7600nex_firmware

Published Jan 31, 2025

Tracked Since Feb 18, 2026