Smartrobot
CVE-2024-2413
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.
AnalysisAI
A critical authentication bypass vulnerability exists in Intumit SmartRobot due to the use of a hard-coded encryption key. Remote unauthenticated attackers can leverage this fixed key to forge authentication tokens by encrypting user credentials and timestamps, gaining full administrative access to the system. Once authenticated, attackers can execute arbitrary code on the server through built-in system functionality, achieving complete system compromise.
Technical ContextAI
The vulnerability affects Intumit SmartRobot, an automation or robotic control system, across all versions according to the CPE identifier (cpe:2.3:a:intumit:smartrobot:*:*:*:*:*:*:*:*). The root cause is CWE-321 (Use of Hard-coded Cryptographic Key), a severe design flaw where cryptographic keys are embedded directly in the application code rather than being securely generated and managed. This implementation fundamentally breaks the authentication security model as the same key is shared across all installations, allowing anyone who discovers or reverse-engineers the key to forge valid authentication tokens.
RemediationAI
No patch or fixed version information is currently available based on the provided intelligence sources. Organizations using Intumit SmartRobot should immediately implement network segmentation to isolate affected systems from untrusted networks and restrict access to authorized IP addresses only. Contact Intumit directly for patch availability and monitor the TWCERT advisory at https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html for updates. Consider disabling the affected systems if they are not mission-critical until a security update becomes available, as the authentication bypass cannot be mitigated through configuration changes alone.
More in Smartrobot
View allA remote code execution vulnerability exists in Intumit SmartRobot's web framework that allows unauthenticated attackers
A Improper Control of Generation of Code ('Code Injection') vulnerability in groovy script function in SmartRobot′s Conv
SmartRobot from INTUMIT has a Server-Side Request Forgery vulnerability, allowing unauthenticated remote attackers to pr
SmartRobot by INTUMIT contains a reflected cross-site scripting (XSS) vulnerability in an insufficiently validated page
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allShare
External POC / Exploit Code
Leaving vuln.today