CVE-2024-2413

CRITICAL

Intumit SmartRobot - RCE

Title source: llm

Description

Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.

References (1)

[Third Party Advisory] https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html

Scores

CVSS v3 9.8

EPSS 0.0290

EPSS Percentile 86.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-321

Status published

Products (2)

intumit/smartrobot < 6.2.0-202303TW

intumit/smartrobot_firmware < 6.2.0-202303TW

Published Mar 13, 2024

Tracked Since Feb 18, 2026