CVE-2024-10497

Published Jan 17, 2025

Last updated 11 days ago

CVSS high 8.7
ICS

Overview

Description
CWE-639: Authorization Bypass Through User-Controlled Key vulnerability exists that could allow an authorized attacker to modify values outside those defined by their privileges (Elevation of Privileges) when the attacker sends modified HTTPS requests to the device.
Source
cybersecurity@se.com
NVD status
Deferred

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

cybersecurity@se.com
CWE-639

Social media

Hype score
Not currently trending

  1. Actively exploited CVE : CVE-2024-10497

    @transilienceai

    7 Feb 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Actively exploited CVE : CVE-2024-10497

    @transilienceai

    5 Feb 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. New post from https://t.co/uXvPWJy6tj (CVE-2024-10497 | Schneider Electric PowerLogic HDPM6000 0.62.7 authorization (SEVD-2025-014-08)) has been published on https://t.co/RnwwSHizGK

    @WolfgangSesin

    17 Jan 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. New post from https://t.co/uXvPWJy6tj (CVE-2024-10497 | Schneider Electric PowerLogic HDPM6000 0.62.7 authorization (SEVD-2025-014-08)) has been published on https://t.co/w9i8KEZnv6

    @WolfgangSesin

    17 Jan 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2024-10497: HIGH] Beware of CWE-639: Authorization Bypass Through User-Controlled Key flaw enabling attackers to elevate privileges by sending modified HTTPS requests to the system. #CyberSecurity#cybersecurity,#vulnerability https://t.co/H8VG05K8Of https://t.co/45l4qLFXQ1

    @CveFindCom

    17 Jan 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. CVE-2024-10085
  2. OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access.CVE-2026-35063
  3. A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory.CVE-2026-22885
  4. A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in arbitrary OS command execution on the device.CVE-2026-20761
  5. An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication.CVE-2026-24789

References

Sources include official advisories and independent security research.