CVE-2024-38433

MEDIUM

Nuvoton NPCM7xx Firmware < 10.10.19 - Authentication Bypass and Arbitrary Code Execution via U-Boot Image Header

Title source: llm

Description

Nuvoton - CWE-305: Authentication Bypass by Primary Weakness An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock reference code can modify the u-boot image header on flash parsed by the BootBlock which could lead to arbitrary code execution.

References (1)

Core 1

Core References

Third Party Advisory

https://www.gov.il/en/Departments/faq/cve_advisories

Scores

CVSS v3 6.7

EPSS 0.0020

EPSS Percentile 9.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-305 CWE-287

Status published

Products (4)

nuvoton/npcm705r_firmware < 10.10.19

nuvoton/npcm710r_firmware < 10.10.19

nuvoton/npcm730r_firmware < 10.10.19

nuvoton/npcm750r_firmware < 10.10.19

Published Jul 11, 2024

Tracked Since Feb 18, 2026