Sage Rtu Firmware
CVE-2024-37038
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.
AnalysisAI
user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.
Technical ContextAI
This vulnerability is classified as Incorrect Default Permissions (CWE-276), which allows attackers to access resources due to overly permissive default settings. user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests. Affected products include: Schneider-Electric Sage Rtu Firmware.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Set restrictive default permissions, follow principle of least privilege, review defaults during deployment.
More in Sage Rtu Firmware
View allwhen sending a malformed POST request and particular configuration parameters are set. Rated critical severity (CVSS 9.8
exists that could allow a user with access to the device’s web interface to cause a fault on the device when sending a m
Traversal’) vulnerability exists that could allow an authenticated user with access to the device’s web interface to cor
device’s web interface when an attacker sends a specially crafted HTTP request. Rated high severity (CVSS 7.5), this vul
device when an attacker sends a specially crafted HTTP request. Rated high severity (CVSS 7.5), this vulnerability is re
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today