CVE-2024-2413

CRITICAL
2024-03-13 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Mar 13, 2024 - 03:15 nvd
CRITICAL 9.8

Tags

RCE Smartrobot

Description

Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.

Analysis

A critical authentication bypass vulnerability exists in Intumit SmartRobot due to the use of a hard-coded encryption key. Remote unauthenticated attackers can leverage this fixed key to forge authentication tokens by encrypting user credentials and timestamps, gaining full administrative access to the system. Once authenticated, attackers can execute arbitrary code on the server through built-in system functionality, achieving complete system compromise.

Technical Context

The vulnerability affects Intumit SmartRobot, an automation or robotic control system, across all versions according to the CPE identifier (cpe:2.3:a:intumit:smartrobot:*:*:*:*:*:*:*:*). The root cause is CWE-321 (Use of Hard-coded Cryptographic Key), a severe design flaw where cryptographic keys are embedded directly in the application code rather than being securely generated and managed. This implementation fundamentally breaks the authentication security model as the same key is shared across all installations, allowing anyone who discovers or reverse-engineers the key to forge valid authentication tokens.

Affected Products

Intumit SmartRobot is affected across all versions based on the CPE identifier (cpe:2.3:a:intumit:smartrobot:*:*:*:*:*:*:*:*), with no specific version restrictions indicated. The vulnerability was reported by the Taiwan Computer Emergency Response Team (TWCERT) with additional details available at https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html. No vendor security advisory or patch information is currently referenced in the available intelligence sources.

Remediation

No patch or fixed version information is currently available based on the provided intelligence sources. Organizations using Intumit SmartRobot should immediately implement network segmentation to isolate affected systems from untrusted networks and restrict access to authorized IP addresses only. Contact Intumit directly for patch availability and monitor the TWCERT advisory at https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html for updates. Consider disabling the affected systems if they are not mission-critical until a security update becomes available, as the authentication bypass cannot be mitigated through configuration changes alone.

Priority Score

52
Low Medium High Critical
KEV: 0
EPSS: +2.9
CVSS: +49
POC: 0

Share

CVE-2024-2413 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy